This document is reviewed annually each October or sooner if legislation or our operations change. The latest version will always be available at www.cavfo.com
• This policy sets out how Cavendish Family Office (London) Limited identifies, assesses, contains, and reports personal data breaches, in accordance with UK GDPR and the Data Protection Act 2018.
• Applies to all staff, contractors, consultants, and agents, and to all systems and devices used for Cavendish business, including cloud and AI-enabled services.
• Personal data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
• Special category data: as defined under UK GDPR Article 9.Incident: any suspected or actual event that could compromise confidentiality, integrity, or availability of personal data.
Incident lead: the CEO’s delegate for data protection (contact: mark@cavfo.com). Owns breach handling and reporting.
• Data protection contact: leads assessment, notification decisions, and record-keeping.
• IT/security: containment, forensics, log preservation, and technical remediation.
• Legal/compliance: ICO and data subject notifications and counsel.
Communications: approved external messaging.
• All staff: must report suspected incidents immediately and preserve evidence.
• Immediate internal reporting via email to the Incident Lead and Legal with “DATA BREACH – URGENT” in the subject; include what, when, how, systems involved, data types, volumes, and who is affected.
• Processors must notify us without undue delay and within 24 hours under contract.
Containment and preservation
• Isolate affected accounts, devices, and services, revoke access tokens, rotate credentials, enable litigation hold, and preserve logs.
• Do not alter potentially evidential systems beyond containment actions.
Initial assessment (within 24 hours)
• Determine: personal data affected; whether special category or children’s data; volume; identifiability; security controls (e.g. encryption at rest/in transit); likely risk to rights and freedoms; cross-border implications; processor involvement.
Classify severity:
• Low: unlikely risk to individuals (no notification; record decision).
• Moderate: possible risk (consider notifying data subjects).
• High: likely risk (notify ICO and data subjects).
Regulatory notification
• ICO: where a breach is likely to result in a risk to the rights and freedoms of individuals, notify the ICO without undue delay and, where feasible, within 72 hours of awareness. If later, record reasons.
• Content to ICO: nature of breach; categories/approximate number of data subjects and records; DPO/contact details; likely consequences; measures taken or proposed.
• Record all decisions in the breach register.
Notifying affected individuals
• Where a breach is likely to result in a high risk, notify affected individuals without undue delay, in clear language, setting out the nature of the breach, likely consequences, steps they should take, and our contact point.
• For encrypted data with robust keys uncompromised, notification may not be required; record rationale.
Third-party processors, cloud, and AI tools
• We require processors to: (a) notify us within 24 hours, (b) provide incident details, logs, and remediation steps, and (c) cooperate with investigations.
• No client or website data may be used to train external AI models. AI tools are used under human supervision only.
• International transfers must use approved safeguards (UK addendum/SCCs or the UK-US data bridge).
Documentation and record-keeping
• Maintain a breach register recording: facts, effects, data types, numbers affected, assessment, decisions, notifications, timings, remedial actions, and lessons learned.
• Keep copies of notifications, forensic reports, and communications.
Remediation and lessons learned
• Implement corrective actions (technical, process, contractual).
• Conduct a post-incident review within 10 working days; report key findings to the board.
• Update risk assessments, supplier controls, and staff training as required.
Training and testing
• Mandatory annual training for all personnel on breach identification and reporting.
• Conduct at least one tabletop exercise per year; record outcomes and improvements.
Policy governance
• This policy is reviewed each October or sooner if operations, suppliers, or law change.
• Contact: mark@cavfo.com for questions or suspected incidents.
