Please also add this statement at the top of each document as well - This document is reviewed annually each October or sooner if legislation or our operations change. The latest version will always be available at www.cavfo.com
This policy defines how Cavendish Family Office (London) Limited (“the Company”) retains, stores, and deletes personal and business data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all employees, contractors, consultants, and third-party service providers who collect, process, or have access to Company data in any form.
The policy covers all systems and locations where data is stored or processed, including cloud and AI-enabled services used by Cavendish Family Office (London) Limited.
Data must only be retained for as long as is necessary for the purpose for which it was collected.
This policy reflects the principles of:
• UK GDPR (Articles 5 and 32)
• Data Protection Act 2018
• Companies Act 2006
• HMRC record-keeping rules
• ICO Accountability Framework (2023)
• The Data Protection Contact (mark@cavfo.com) is responsible for maintaining this policy, monitoring compliance, and approving data destruction.
• All staff must ensure that data within their control is reviewed periodically and deleted or archived in accordance with this policy.
• External processors must follow equivalent retention and destruction requirements and provide confirmation of secure deletion on request.
Data shall be:
• kept for no longer than necessary;
• stored securely using encryption, access controls, and MFA;
• deleted or anonymised once its retention period expires; and
• reviewed annually to ensure ongoing relevance.
If no specific retention period is stated, a default period of seven years from the date of creation will apply.
Cavendish Family Office (London) Limited retains data only for as long as is necessary for the purpose for which it was collected. In most cases, client and advisory records are kept for seven years after the conclusion of the engagement to meet professional and audit requirements. Company accounts, invoices, and tax filings are also retained for seven years to comply with HMRC and statutory obligations.
Employment and payroll records are held for six years after an employee leaves the business to meet PAYE and HR documentation standards. Board minutes and shareholder resolutions are retained permanently in accordance with the Companies Act 2006.
Marketing consents and mailing preferences are kept until withdrawn, with an additional two-year period retained to demonstrate compliance with data protection requirements.
Operational data, such as AI and meeting transcripts recorded through approved platforms like Otter.ai or Microsoft Teams, are stored for up to twelve months. Information security logs are kept for up to twelve months for monitoring and compliance purposes, while general correspondence and working drafts are typically retained for two years to support business continuity.
Unless otherwise stated, a default retention period of seven years will apply to all remaining data categories.
• Certain data may be stored on secure cloud platforms and AI-assisted tools such as Microsoft 365, Teams, Otter.ai, OpenAI, and Mailchimp.
• All such providers are contractually bound to UK GDPR-compliant safeguards, including the UK-US Data Bridge or Standard Contractual Clauses.
• Client data must never be used to train external AI models. All AI use remains under human supervision.
7. Data destruction
• When data reaches the end of its retention period, it must be securely deleted, shredded, or anonymised.
• Destruction levels:
• Level I – Confidential and personal data: cross-cut shredding or secure electronic deletion with proof of destruction.
• Level II – Internal business documents: cross-cut shredding or secure deletion.
• Level III – Public or non-confidential data: recycling or general waste (no audit trail required).
Certificates or deletion logs must be retained for all Level I disposals.
Data may be retained beyond its normal period where:required by law or regulatory inquiry;subject to ongoing litigation or investigation; or needed to demonstrate compliance with legal obligations.
Any such extension must be authorised by the Data Protection Contact and documented in the Retention Register.
This policy should be read together with the Company’s Data Protection Policy, Privacy Notice, and Data Breach Policy. Any accidental or failed deletion must be reported as a potential data incident within 72 hours under the Data Breach Policy.
• All staff must complete annual data-protection and record-management training.
• This policy is reviewed each October or sooner if legislation, operations, or technology change.
For any questions about this policy or requests concerning data retention or deletion, please contact: mark@cavfo.com
