GDPR

Lucidx GDPR Compliance Statement

This statement sets out the operating procedures Lucidx undertakes to ensure GDPR best practice is observed to the greatest extent possible, at all times.

1. What is GDPR?The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection, storage, and processing of personal information from individuals who live in the European Union (EU).
   The Information Commissioner’s Office is the UK regulator dealing with the Data Protection Act 2018 and the General Data Protection Regulation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 across the UK.
   The ICO are like the data protection police and we need to make sure we always keep on their good side. Our determination to be 100% GDPR and PECR compliance will do exactly that!
   It is important to take GDPR compliance very seriously, since the penalties for non-compliance are punitive and designed to be painful. You definitely don’t want to be on the receiving end of an ICO investigation or enforcement notice!
   
2. Lucidx’s relationship with youLucidx is a service provider, when you engage our services, we work for you, and
   when we create data, we create data exclusively for you.
   To put this in the language of GDPR and the ICO:
   • You are the data controller – data belongs to you and is not shared with any
     other client, company or third party. No messaging is sent without your
     oversight.
   • We are the data processor – we are the data processor. We work for you.

1. Does your marketing activity qualify?Lucidx’s services are designed and offered solely to help businesses promote to
   other businesses. I.e. B2B marketing only.
   Before launching new client activity, Lucidx conducts an in-depth assessment to
   establish if the product or service, combined with the proposed targeting, meets
   the criteria for GDPR compliant business to business (b2b) marketing. This
   assessment is called the Legitimate Interest Assessment (LIA).
   Prior to conducting the LIA, suitability can usually be determined by the
   following two questions:

1. • Will the product or service being offered benefit the businesses you are
     targeting, and not the individual?The product or service that you are offering needs to be of benefit to
     the target business, and when talking to any individual, relevant to
     their business role only. It can help to consider the following
     examples:
     • If you are targeting companies that sell widgets, to offer
       marketing services designed to increase their sales of widgets,
       then there is a clear, sole benefit to the company.
     • If you are looking to contact business owners in order to help
       them invest their hard-earned wealth, despite the links to their
       professional role, this is aimed at the individual not the
       company.
   • Are the services being provided equally beneficial to whomever may be
     contacted about them?If question one can be answered positively then a further test to the
     business nature of your offering is to consider the target individuals
     that you would like to introduce it to. The only consideration here
     should be job specific – typically department and seniority. Your offer
     should be equally relevant to whoever fills these role(s) at any given
     time, and in no way targeting any given individual.

1. Lucidx and Personally Identifiable Information (PII)At the core of the Lucidx process is the identification of target companies.
   Whilst the details of this stage can vary, it involves no personal information
   at all. Once the list of accounts has been finalised we then determine the
   details of the individuals in the target role(s) at the companies. This stage
   typically generates Personally Identifiable Information (PII).
   Personally Identifiable Information (PII) data held is kept to an absolute
   minimum:

1. • Name
   • Business email address – emails are only stored that are on the target
     company domain(s). For example, if targeting a company who’s website is
     widgets.com, emails will be @widgets.com. No personal email addresses are
     stored, ever.
   • Social profile URLs

1. Legitimate Interests
2. GDPR sets out a number of permissible circumstances (or categories) under which
   PII can be stored and processed, the most appropriate category in the case of
   Lucidx is Legitimate Interests.
   This link explains the Legitimate Interests basis for storing and processing PII:
   https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
   To ensure client activity falls into this category, prior to engaging, we will
   carry out a full Legitimate Interests Assessment (LIA) with each new client.
   Essentially the LIA is a questionnaire containing a series of questions about
   your scenario. There are 3 areas that need to be satisfied for Legitimate
   Interests to be used as a basis for processing PII:

1. • Identify a legitimate interestThe legitimate interest can be your own interests or the interests of
     third parties. They can include commercial interests, individual
     interests or broader societal benefits.The data processing is generally in your interests – whether it be to
     increase market share, increase brand awareness, or engage business
     leaders.
   • Show that the processing is necessary to achieve itCan the same result be achieved differently? Core to the Lucidx service is
     the efficiency and constant drive to be the most cost-effective sales
     channel which we believe cannot be replicated using other methods.
   • Balance it against the individual’s interests, rights and freedoms.Would the individual expect their data to be used in this way? Would an
     individual who lists publicly their role within a company expect to be
     contacted about services that may help that company or their department
     within the company?No data processing may replace or infringe the individuals interests or
     cause unjustified harm

1. LIA FailuresIf Lucidx determines that your planned B2B prospecting activity does not meet the
   criteria for Legitimate Interests within the scope of GDPR then we cannot
   support the activity within any regions subject to GDPR.
   
2. Rights of Individuals

1. • Privacy PolicyAll messages sent will contain a link to a privacy policy that explains
     to the user exactly what their rights are as well as the type of data
     that is held about them and by who.Lucidx will provide a template privacy policy or review your existing one
     to ensure it meets the required standard.A link to our Privacy Policy which is based upon this template is here:
     https://Lucidx.io/privacy-policy/This standard privacy link would typically be contained in the email
     signature of any outbound messaging, in the case of messaging as part of
     client campaign activity, the privacy link will be that of our client’s
     own privacy policy.
   • Opting Out & Exclusion ListsAll recipients are able to opt out easily to prevent further email
     communication being received.All replies to prospecting emails are logged and those prospects are
     added to your campaign exclusion list within 24 hours.Lucidx allows import of existing exclusion lists in advance of campaign
     activity. Exclusions can be submitted in the form of individual email
     addresses or full domains, and will prevent communications being issued
     to those email addresses or domains listed.
   • Subject Access RequestsAll individuals have the right to request a copy of all data you hold on
     them. To support this you can email any SAR requests to [email protected] and
     we will return this data within 72 hours.
   • Right to be ForgottenAll individuals have the right to have their data removed (to be
     ‘forgotten’) which is a request that can be carried out easily by your
     Lucidx account manager. Your data belongs to you and you can choose to
     delete some or all of it at any time.A conflict does arise in removing or forgetting an email address whilst
     at the same time keeping this address on an exclusion list to prevent
     future mailing. Where we have removed data, we will move the email
     address to a separate exclusion list, encrypted using a one-way hashing
     algorithm (SHA1), ensuring we are able to prevent any future messages
     being sent to the customer whilst continuing to honour their right to be
     forgotten.

1. PECR and sending of B2B messagesWhilst GDPR controls the storage and processing of personal data in the UK,
   sending messages is regulated under the Privacy and Electronic Communications
   Regulations (PECR). This is very clear as to the requirements on business
   communication:
   “You can email or text any corporate body (a company, Scottish partnership,
   limited liability partnership or government body). However, it is good practice
   – and good business sense – to keep a ‘do not email or text’ list of any
   businesses that object or opt out, and screen any new marketing lists against
   that.”
   https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/
   
2. Lucidx EmployeesAll Lucidx employees undergo GDPR, PECR and general compliance training, this
   covers the GDPR rule set in detail, the relevance and impact of those rules on
   Lucidx and our clients, and the steps we take to ensure best practice is observed
   at all times. We also make clear the consequences (I.e. penalties) associated
   with failure to meet the strict GDPR standards.
   
3. 10.Data Storage & Data Security

1. • ISO 270001We do not hold the ISO 270001 accreditation however we recognise the
     standards and operate a similar or better approach in most cases. We are
     working to achieve this accreditation
   • StorageAll data regarding our clients, prospects and employees is stored in
     commercial databases hosted in tier 1 EU data centres, encrypted both a
     rest and in transit. Access to the database is secured by both username
     and password and IP address.No passwords are stored in clear text, and access to any information is
     secured by individual user account access. All users with any kind of
     access have been issued with and agreed to Lucidx’s Data and IT Security
     Policy.
   • Data SecurityThe physical security of our data is managed by Azure – more details
     here:
     https://azure.microsoft.com/en-gb/blog/azure-layered-approach-to-physical-security/Our database resides in an isolated environment, behind a firewall with
     all connections restricted by default. All Data (not just PII) is
     encrypted at rest, and has an automated anomalous threat detection
     system monitoring activity.Access to all systems is provided on an individual user account basis,
     with all passwords stored as hashed strings.
   • BackupsIncremental backups are continusously updated giving the ability to
     rollback the database to any point within the past 48 hoursBackups are encrypted at restIn the event of a back up restore, RTE (Right to Erase) data removals are
     automatically re-removed during the backup restore process.
   • Duration of StorageTo ensure private information is held no longer than necessary, all PII
     that is stored or processed solely for client campaign purposes is
     removed (by overwrite) after 24 months of client inactivity (or on
     request).

1. 11.Non-UK regulationsLucidx is a UK based company and operates under UK law. Where the service is used
   to target countries outside of the UK we are unable to provide guidance or take
   responsibility for any additional or differing laws that may be in place.
   
2. 12.Client responsibilityWhilst Lucidx continues to take extensive measures to ensure best practice with
   respect to GDPR and PECR across all client activity, clients should take note
   that responsibility for compliance vests (in different forms) with all parties.
   Lucidx cannot be abreast of the constantly evolving regulatory frameworks in all
   countries at all times, as such it is important that you, as the client, have
   knowledge of your local regulatory climate and ensure your business operates
   within the relevant regulatory frameworks.