Lightning Packaging Supplies GDPR Policy

Lightning Packaging Supplies, a trading division of Bunzl Retail and Healthcare Supplies Limited gathers and retains information pertaining to businesses and individuals. This includes customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This data protection policy ensures Lightning Packaging Supplies:

  • Complies with data protection law and follows good practice
  • Protects the rights of staff
  • Is open how it stores and processes individuals’ data
  • Protects itself from the risks of a data breach


The data protection act 1998 is fully complied with.
We follow the eight most important principles. Data must:

  • Be processed fairly and lawfully
  • Be obtained only for specific, lawful purposes
  • Be adequate relevant and not excessive
  • Be accurate and kept up to date
  • Not be held for any longer than necessary
  • Processed in accordance with the rights of data subjects
  • Be protected in appropriate ways
  • Not be transferred outside the European Economic Area (EEA) unless that country or territory also ensures adequate protection



The policy applies to:

  • The Offices of Lightning Packaging Supplies
  • The cloud infrastructure of Lightning Packaging Supplies
  • All staff and volunteers of Lightning Packaging Supplies
  • All contractors, suppliers and other people working on behalf of Lightning Packaging Supplies

It also applies to all data that the company holds relating to identifiable individuals, even if the information technically falls outside of the data protection Act 1998. This can include:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • Plus, any other information relating to individuals


This policy helps to protect Lightning Packaging Supplies from data security risks including:

  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
  • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.


Everyone who works for or with Lightning Packaging Supplies has some responsibility for ensuring data is collected, stored and handled appropriately.
Each person that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

  • The board of directors are ultimately responsible for ensuring that Lightning Packaging Supplies meets its legal obligations.
  • Inclusion of data protection within regular management and staff meetings to be updated, reviewed, responsibilities qualified, risks and any issues discussed.
  • Arrange data protection training and advice for personal covered in this policy
  • Handling data protection questions from staff and anyone else covered by this policy
  • Dealing with individual requests to see data that the company holds

Outsourced/third party companies that work with us.

  • We monitor all third-party companies that we work with to make sure that no data is removed from a customer site or cloud infrastructure without a customer’s instruction to do so. For instance, copying databases in order to fix corruptions.
  • In rare cases where a third party may need to access data, we sign and hold non-disclosure agreements
  • When working with Microsoft, we monitor all interaction with a customer’s system. No data is removed from local premise or cloud infrastructure apart from rare instances when event logs are required to repair a customer’s network.


  • The only people with access data covered by this policy will be those who need it for their work.
  • Data will not be shared informally. When access to confidential information is required employees are to request it from one from the Managing Director.
  • Lightning Packaging Supplies will provide training to all employees to help them understand their responsibility when handling data.
  • Employees are to keep all data secure, by taking sensible precautions and following the guidelines below.
  • Strong passwords are used and will never be shared.
  • Multi-Factor Authentication (MFA) will be used by all staff when accessing our systems
  • Personal data will not be disclosed to unauthorised people, either within the company or externally.
  • Data will be reviewed regularly and updated if it is found to be out of date. If no longer required data will be shredded.
  • Employees should seek help from one of the Directors if they are unsure of any aspect of data protection.


When data is stored on paper it will be kept in a secure place where unauthorised people cannot see it.

  • When not required any paper or files will be kept in a locked drawer or filing cabinet
  • Employees are to make sure paper and printouts are not left where unauthorised people can see them, e.g. on a printer etc.
  • Data printouts will be shredded and disposed of securely when no longer required.
  • Data stored electronically is protected from unauthorised access, accidental deletion and malicious hacking attempts.
  • Electronic data is protected by strong passwords that are changed regularly and not shared between employees. Multi-Factor authentication (MFA) is also used by all staff
  • Occasionally data may be stored on removable media, these are kept locked away securely and when no longer required data is deleted.
  • Data is stored in our cloud infrastructure environment protected by MFA
  • On-site servers containing any personal data are not used
  • Data is backed up off site frequently. Backups are done regularly and not held on-site.
  • Data is never saved directly to laptops, desktops or other mobile devices.
  • All servers and computers containing data are protected by approved software, firewall and MFA security.
  • Customer devices held within our office for repairs will also be covered under this policy. Customer data may be backed up, restored and will be deleted when no longer required.

Lightning Packaging Supplies hold a certificate of registration with the Information Commissioners Office.
Lightning Packaging Supplies also all hold valid ISO9001 certification.


Personal data is of no value to Lightning Packaging Supplies unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft. Therefore the following must be adhered to:

  • When working with personal data employees must ensure the screens of their PC’s are always locked when left unattended.
  •  Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
  • Data must be encrypted before being transferred electronically.
  • Personal data should NEVER be transferred outside the European Economic Area.
  • Employees should not save copies of personal data to their own PC’s.
  • Employees always access and update the central copy of any data.
  • No personal data will be copied from a customer site to our own cloud infrastructure. Only configuration data may be held to help support the customer.


The law requires Lightning Packaging Supplies to take reasonable steps to ensure data is kept accurate and up to date.

  • Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
  • Staff should take every opportunity to ensure data is updated. For instance. confirming contact details when a customer calls.
  • Lightning Packaging Supplies will make it easy for data subjects to update the information Lightning Packaging Supplies holds about them.
  • Data should be updated as inaccuracies are discovered.  As an example, if a customer can no longer be reached on their stored contact number or email address it should be removed from the database.


All individuals who are the subject of personal data held by Lightning Packaging Supplies
are entitled to ask what information the company holds on them and why

  • Ask how to gain access to it
  • Be informed how to keep it up to date
  • Be informed how the company is meeting its data obligations.
  • All “Opt-in” data saved and used for the purposes of marketing, all individuals are always given an “Opt-out” option. If an “Opt-out” option is received the data is removed and deleted accordingly.

If an individual contacts the company requesting this information, this is called a subject request. Subject access requests should be made via email to
Staff will provide the relevant data within a reasonable time
Most importantly staff will always verify the identity of anyone making a subject access request before handing over any information.

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances Lightning Packaging Supplies will disclose requested data. However, the Directors will ensure the request is legitimate, seeking assistance from the company’s legal advisor if necessary.

Lightning Packaging Supplies aims to ensure the individuals are aware that their data is being processed and that they understand

  • How the data is being used
  • How to exercise their rights
  • How to “Opt-out” of any/all marketing activity.

Lightning Packaging Supplies display’s its privacy and cookie policy in the public domain via its web site


Lightning Packaging Supplies – GDPR – General Data Protection Regulation - Policy