Last updated: 22 October 2021
- Our GDPR Principles
- Our Approach to GDPR
- Data Breaches
- Data Subject Rights
- What We Have Done
- Contact Person
- Changes to this Statement
- Document Revision History
- Document Classification
The General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679, is effective from 25 May 2018, replacing national legislations accordingly and the European Privacy Directive. The GDPR sets out to improve the privacy and security of EU citizens’ personal information. It requires no enabling legislation and is therefore applicable and binding from that date.
The GDPR imposes obligations on companies that control or process personal information and introduces new rights for EU data subjects. Whilst it applies to processing carried out by organisations within the European Economic Area (EEA), it also applies to organisations globally that offer goods or services to EU citizens or people in the EU.
The purpose of this public corporate statement is to highlight and demonstrate to our customers the measures we have put in place to ensure compliance with the GDPR where we hold or process personal data on your behalf.
2. Our GDPR Principles
- We will process personal data fairly and lawfully.
- We will only process personal data for the lawful reasons we say we do.
- We will ensure we hold relevant and accurate data and keep it up to date wherever possible.
- We will not store or hold personal data for longer than is necessary to fulfil our contractual obligations with our customers.
- We will keep all personal data secure using modern, best practice techniques and technologies.
- We will ensure personal data is not transferred to countries outside of the European Economic Area (EEA) without adequate safeguards in place.
- We do not conduct business with children and do not knowingly hold or process children’s personal data.
3. Our Approach to GDPR
- A data processor for our customers (the data controller).
- A data controller of our customer and supplier contact information which we hold and process to fulfil our contracts, manage customer requests and help people who come to our website.
- A data controller for our employees, holding and processing their personal information.
As part of our preparation process for GDPR, we continue to review and update all of our internal processes, procedures, policies, documentation and systems. We will be complying with GDPR as a data processor and controller and we have been working with our suppliers and third party vendors to ensure that collectively we can meet our obligations and your requirements.
Throughout our journey to GDPR compliance we have been working closely with independent experts and advisors to ensure we have the expertise needed to comply with the regulation. We view GDPR as a continual project which will require monitoring, improvement and management over time.
At Lumi we treat information security with the utmost importance and we are already aligned with a number of industry best practice standards that concentrate on cyber security such as ISO/IEC 27001 and PCI-DSS.
With regards to our customers, third party suppliers or vendors and any sub-processors - We have been working closely with all parties to ensure their compliance too. Contracts and agreements have been reviewed and we ensure that the necessary organisational and technical controls, policies and procedures are in place so that we are satisfied with the confidentiality, integrity and availability of your data.
4. Data Breaches
Under the GDPR, we are obliged to notify our customers (the data controller) of any data breach without undue delay. In certain circumstances this notification is required to extend to the appropriate national supervisory authority for data protection. Our company headquarters are based in the UK, where this body is the Information Commissioner’s Office (ICO), https://ico.org.uk/. Lumi has therefore ensured robust processes and procedures are in place for identifying, reviewing and swiftly reporting any data breach to the relevant controller and authorities.
In the event of a data breach, we would aim to provide our customer with the following;
- A description of the nature of the breach.
- Contact information for the person responsible for data protection.
- Any likely consequences or risks of the breach.
- Measures taken and proposed to limit any harmful effects or risks to individuals.
5. Data Subject Rights
There have been significant enhancements to the rights of data subjects under the GDPR, that improve the privacy and protection with regards to individuals’ personal data. Lumi is committed to working closely with its customers on whose behalf we hold and process data. Through this collaboration we can best determine how to manage;
- Handling data access requests
- Retention periods
- Rectifying data
- Secure erasure/destruction of data
- Data portability requests
6. What We Have Done
As mentioned above, we now treat GDPR as an everyday part of Lumi life. In this section we’ve included some of the measures we have already taken or continue to take and the work we have completed on our road to compliance.
- We have reviewed and amended contracts in place with customers, suppliers, any sub-processors and third party vendors. As mentioned above, we work closely with these bodies to ensure they meet their GDPR obligations too.
- We have assessed our legal bases for holding and processing data to ensure it is processed lawfully, fairly and transparently.
- We continue to regularly review and update our processes, procedures and policies.
- Our staff are briefed, trained and awareness continues to grow. All of our employees are increasingly aware of their corporate responsibilities and new employees are trained as part of the induction process.
- We have completed, and continue to receive, data privacy impact assessments and welcome any customer to contact us with their own.
- The technology we use to carry out our business evolves continually, and we regularly review and analyse our platforms to ensure they meet required standards we commit to.
- We’re not legally obliged to appoint a DPO, but we have nominated someone at Lumi to have responsibility over data protection and privacy (for more information see below).
- As systems change and update all the time, we continue to audit the information which flows through Lumi and map the data to identify what personally identifiable information we hold and process, and where.
- We are improving our cyber security and are implementing an ISMS to accredited ISO/IEC 27001 certification.
- We are much clearer about getting consent with those who can visit our website or those who request help through channels such as our support function or live chat team.
- As a business-to-business organisation, we were not required to re-permission our marketing base, however we have looked at those who had not been active for over a year and asked for them to re-consent.
7. Contact Person
Lumi does not need to appoint a Data Protection Officer (DPO). However, we have nominated our Chief Technology Officer as the person with overall responsibility for GDPR and matters of data privacy and protection, and is contactable at firstname.lastname@example.org.
9. Changes to this Statement
To keep you updated on how we comply with legislation, we may update this statement from time to time, which will always be published here on our website.
10. Document Revision History
Description of changes
25 May 2018
Dave Palmer (Head of Information Security)
7 December 2020
Dave Palmer (Head of Information Security), Rahul Shah (Chief Financial Officer)
Richard Taylor (Chief Executive Officer)
Draft version for review, update and approval. Applied latest document template, applied ownership and approval processes, assigned unique ISO27001 aligned reference number, enabled tracked changes, updated doc control sections,
15 October 2021
Marc Harper (CTO)
Rahul Shah (CFO)
Updated primacy contact.
This version approved by: Chief Finance Officer
11. Document Classification
This Lumi document has been classified as ‘Public’. This means that Lumi has deemed that the information contained herein is freely available outside of the business or is intended for public use.