Please also add this statement at the top of each document as well - This document is reviewed annually each October or sooner if legislation or our operations change. The latest version will always be available at www.cavfo.com
This policy sets out how Cavendish Family Office (London) Limited (“Cavendish”) manages and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We depend on accurate and secure personal data for the normal conduct of our business and therefore apply strict controls over its collection, use, storage, transmission, and destruction.
This policy aims to:
• Ensure the security, integrity, and availability of all company and client data.
• Protect the interests of individuals and other stakeholders.
• Establish clear standards for lawful data processing.
• Support compliance with statutory, contractual, and professional duties.
• Impose technical and organisational controls consistent with our risk tolerance.
Cavendish endorses the data-protection principles set out in Article 5 UK GDPR:
lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality.
This policy applies to all Cavendish employees, directors, contractors, and third-party processors who have access to Cavendish or client data in any form or medium.
It covers all personal and sensitive personal data processed by Cavendish within the UK and abroad, whether stored electronically or in paper form, during any part of its lifecycle.
All staff, consultants, and vendors must confirm they have read, understood, and agree to abide by this policy.
• Defines data-security requirements, controls, and classification standards.
• Approves procedures for collection, processing, storage, transmission, and disposal.
• Maintains compliance with legislation and coordinates reviews and updates.
• Authorises any external data processing or transfer arrangements.
• Handle data only for legitimate business purposes.
• Protect it from unauthorised disclosure, alteration, or destruction.
• Report any actual or suspected breach immediately.
• Must maintain policies consistent with this one and may not bypass Cavendish security requirements.
• Must confirm compliance through written agreement before receiving or processing data.
Data shall be collected lawfully, fairly, and transparently under one or more of the legal bases in the UK GDPR. The purpose and lawful basis will be documented at or before the point of collection.
Personal data shall only be used for the purpose for which it was collected. Any other use is unauthorised and may constitute misuse of data. Access shall be limited to authorised users only, and strong authentication and access controls shall be applied.
Data shall be retained only as long as necessary to fulfil its purpose or legal requirement, then securely deleted or anonymised. Encryption and access controls shall be applied wherever feasible.
When personal data is transmitted or shared, it must be encrypted or otherwise protected from interception. Transfers outside the UK will only occur where adequate safeguards are in place.
Data must be destroyed securely and irreversibly. Paper records shall be cross-shredded or incinerated; digital records shall be permanently deleted from all systems and backups in accordance with the Data Retention Policy.
Any suspected data breach must be reported immediately to the CEO (Data Protection Officer). The breach will be investigated and documented, and notifications will be made to affected individuals and the Information Commissioner’s Office (ICO) where legally required.
Intentional misuse or negligent handling of personal data may result in disciplinary action up to and including dismissal or contract termination.
This policy shall be reviewed annually by the CEO and senior management to ensure continued compliance with the UK GDPR and related data-protection laws, including updates to reflect evolving technology and business practices.
