How Lusha Implemented GDPR

Lusha has built its success on the trust its customers and partners place in our ability to offer premier products and services. This includes a high level of privacy and data protection regarding the personal data that our stakeholders entrust to us.

We have always had an effective privacy program in place which complies with applicable laws and abides by data protection principles. However, Lusha recognises its obligations in updating and expanding this program.

Putting Privacy First

Lusha has taken compliance a step further by fortifying data protection as a core component of the business and implementing controls that comply with the GDPR. Our efforts included an independent third-party audit by ePrivacy to assess and remediate our compliance with the EU data protection legislation.

Lusha is committed to the principles inherent in the GDPR/UK GDPR and endeavours to provide features and functionality to assist our customers and partners to meet their privacy obligations.

Our primary considerations are to ensure that: (i) the protection of personal data entrusted to us is never compromised or misused, (ii) we are fully compliant with our legal and regulatory responsibilities, and (iii) we continue to provide our customers and partners with the highest standard of services.

How We Prepared for GDPR

During the preparation and implementation period, Lusha evaluated the requirements and restrictions imposed by the GDPR and took the necessary actions to ensure that we handle all data operations in compliance with EU legislation.

These efforts included:

Processing of customers’ data: Our ability to fulfil our data protection commitments as a data processor to our customers is a fundamental part of our compliance with the GDPR.

Lusha has worked closely with local counsel in the United Kingdom to provide that our agreements and policies contain appropriate provisions (i) to address the processing and storage of personal data by Lusha, (ii) set out our privacy commitments to our customers, and (iii) define the rights and obligations of the data controllers (i.e. our customers) and data processor (i.e. Lusha).

Third-party audits and certifications. Lusha has the distinction of being the first B2B sales intelligence platform to obtain an accredited ISO 27701 certification, globally recognised as the highest privacy standard.

Further, Lusha is ISO 27001, ISO 27018 and SOC 2 Type 2 certified and obtained TrustArc’s TRUSTe Enterprise Privacy seal, in addition to the ePrivacyseal; all a testament to the robust controls we have in place for the security and privacy of our designated service offerings.

Expanded disclosure. Lusha offers a clear description of what data we collect, why we collect it, and how we store and process it. This includes explanations of whom the data is shared with, how long it is stored and how data is protected.

Purpose limitation. We offer our clients business contact data to boost their sales and marketing efforts as well as to hunt top talent. We collect and offer our clients the bare minimum of data necessary for sales and marketing activities, information which is usually located in an email signature or printed on a business card.

Giving control to data subjects. A key component of our compliance is our ability to comply with the GDPR when collecting business contact information and enriching our platform. Lusha collects business contact data from public sources rather than the data subjects themselves. We notify contacts about the collection of their data, as required by Article 14, and provide all the required information, including categories of data and purposes of processing. The individuals whose data was collected can opt out at any time.

Further, Lusha notifies its customers of the deletion request of a data subject in accordance with Article 19.

Lusha grants data subjects control over what happens to their data via our self-serve Privacy Centre, where individuals have the ability to exercise their rights within the Lusha service offering. Any data subject can submit the access, erasure or rectification of their data via an easy self-serve tool on our website.

Privacy by design. Lusha ensures that its product development cycle includes controls, specifications, processes, and policies that safeguard the protection of personal data as part of the software development lifecycle.

Dedicated privacy management. Lusha has a designated Data Protection Officer (DPO) and Compliance Manager to develop and implement our roadmap for complying with data protection obligations. The team is responsible for promoting awareness of the GDPR across the organisation, assessing our GDPR readiness, identifying any gap areas and implementing new policies and controls.

Global Privacy Training. Lusha understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR. We have implemented a Global Privacy Training program which forms part of our induction and annual refresher training regime.

Certification vs Self-Declaration

With the GDPR, the EU has legislated a robust and harmonised solution which addresses individual rights and relevant obligations of service providers.

While some companies issue a self-declaration of conformity, Lusha has been audited and certified by an independent third-party to demonstrate compliance.

Lusha has dedicated the time, tools, technology and processes to become GDPR compliant, and we have the appropriate third-party certifications in place to demonstrate our steadfast compliance. We understand that the ethical and lawful processing of personal information is fundamental to our continued success.