This guidance is intended to supplement Cavendish Family Office (London) Data Protection, and other information security policies have been developed to aid the understanding of the Cavendish Family Office(London) obligations in the event of a data security breach.
These guidelines apply to all members of Cavendish Family Office (London). All employees, consultants, contractors, and agents acting for or on behalf of Cavendish Family Office (London). Should be made aware of these guidelines and Cavendish Family Office (London)'s Data Protection Policy.
This policy applies to all methods of processing of personal information on any device used by CavendishFamily Office (London).
The General Data Protection Regulation and the Data Protection Act require that personal data is processed fairly and lawfully and, in particular, not be used or processed in ways that would have unjustified adverse effects on the individuals concerned.
A personal or sensitive data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the purposes of Cavendish Family Office (London)'s business.
Employees of Cavendish Family Office (London), who access, hold or process personal or sensitive data forCavendish Family Office (London)'s business must take appropriate steps to ensure no unauthorised or unlawful processing, accidental loss, destruction of, or damage to personal data occurs.
A personal data breach can occur because of several reasons, such as:
Data security breaches should be contained and responded to immediately upon discovering the breach. AnImpact Assessment should be undertaken to identify measures required to control or limit potential damage and recover from the incident.
All data breaches, actual and potential, must be reported to Cavendish Family Office (London) Mark Estcourt.
Some data security breaches may not lead to risks beyond a possible inconvenience to those who need the data to undertake their role, for example, where a laptop is damaged beyond repair. But, the files contained on the laptop were previously backed up and are recoverable.
Following immediate containment, any risks associated with the breach must be assessed.
Any potential adverse consequences affecting individuals, including Cavendish Family Office (London)itself and the seriousness of the breach, must be considered.
The following considerations should be taken upon discovering a data breach:
Upon the completion of an impact assessment by Cavendish Family Office (London) and Data ProtectionTeam, breaches capable of adversely affecting any individuals should be communicated to those individuals ensuring that specific and clear advice is provided on the steps to be taken to mitigate the risk of any harm, provide appropriate levels of support.
Evaluate whether the Information Commissioner’s Office, other local or regional regulatory bodies and/or other official bodies such as Police or bank/building societies should be notified of the data breach.
Serious data breaches may require an announcement to the media to be communicated to individuals concerned and the public, dependent on the seriousness and extent of the breach. This avenue of informing should be considered and implemented where appropriate.
It is crucial for all departments to be aware that data breaches, actual or potential, require documentation and investigation. Response to the breach requires evaluation in terms of effectiveness.
Where a breach is caused by systemic and ongoing technical problems, merely containing the breach and continuing ‘business as usual’ will not be deemed acceptable. Cavendish Family Office (London) will continually monitor all areas where the potential for data compromise may occur and immediately address any areas requiring improvement for preventing a re-occurrence.
