September 2022

‍Data Protection Policy

‍This policy document is compliant with the provisions of the EU General Data Protection Regulation679/2016.

This policy document sets out the policies and procedures Cavendish Family Office (London) will comply when dealing with personal data.

Personal data must be protected in accordance with the provisions of the General Data Protection Regulation679/2016. Dependence on personal data for the normal conduct of business necessitates the creation of this policy to set out the procedures and measures to protect personal data.

This policy defines rules, procedures, and measures to collect, use, and store personal data in a GDPR-compliant manner and control and prevent unauthorised access to personal data. A breach of data security can lead to regulatory fines, an inability to provide services, loss of customer confidence, physical, financial and emotional damage to the affected persons.

This policy therefore discusses:

• Data categories
• Data classification
• Data ownership
• Data collection/generation
• Data usage
• Data storage
• Data disposal
• Data transfer
• Data security

This policy defines the Cavendish Family Office (London) overall data protection objectives and procedures that we endorse.

This embodies the principles of data protection as described in Article 5 of the GDPR, namely:

• Lawfulness, fairness and transparency,
• Purpose limitation,
• Data minimisation,
• Accuracy,
• Storage Limitation,
• Integrity and confidentiality

Breach of the policy and its consequences

A breach of this policy could have severe consequences to Cavendish Family Office (London), its ability to provide services or maintain the integrity, confidentiality, or availability of services.

Intentional misuse of data resulting in a breach of any part of this policy will result in disciplinary action at the discretion of the senior management of Cavendish Family Office (London). Severe, deliberate or repeated breaches of the policy by any employee may be considered grounds for instant dismissal, or in the case of a Cavendish Family Office (London) vendor, termination of their contracted services. All employees and vendors are bound by these policies and are responsible for their strict enforcement.

‍Scope of the Policy

This policy applies to all Cavendish Family Office (London) and customer data assets that exist in any processing environment of Cavendish Family Office (London), on any media during any part if its life cycle.The following entities or users are covered by this policy:Full or part-time employees of Cavendish FamilyOffice (London) who have access to Cavendish Family Office (London)'s or customer data.

This document forms part of our conditions of employment for employees , contractual agreements for vendors, suppliers, and third party processor or agents, hereafter referred to as vendors. . All parties must read this policy completely, and confirm that they understand the contents of the policy and agree to abide by it.

Data Life Cycle

The security of data can be understood through the use of a data life cycle. The typical life cycle of data is collection/generation, use, storage and disposal. The following sections provide guidance as to the application of this policy through the different life cycle phases of data.

Users of data assets are personally responsible for complying with this policy. All users will be held accountable for the accuracy, integrity, and confidentiality of the information to which they have access. Data must only be used in a manner consistent with this policy.

Data Protection Policy Statement

1. Goals

This policy has been written with the following goals in mind:

• To ensure the security integrity and availability of all the company and customer data
• To establish the company baseline data security stance and classification schema
• that it should enable the firm to meet its own requirements for the management of personal information
• that it should support organisational objectives and obligations
• that it should impose controls in line with the firm’s acceptable level of risk;
• that it should ensure that the firm meets applicable statutory regulatory contractual and/or professional duties;
• that it should protect the interests of individuals and other key stakeholders

2. Processing environment

Cavendish Family Office (London)'s processing environment that this policy applies to is comprised of:

• Systems– A system is an assembly of computer hardware (e.g. sub-networks application servers file servers workstations data etc.) and application software configured for the purpose of processing handling storing transmitting and receiving data which is used in a production or support environment to sustain specific applications and business organisations in their performance of tasks and business processes.
• Applications – Application software is system or network-level routines and programs designed by(and for) system users and customers. It supports specific business-oriented processes jobs or functions. It can be general in nature or specifically tailored to a single or limited number of functions.
• Networks – A network is defined as two or more systems connected by a communication medium. It includes all elements (e.g. routers switches bridges hubs servers firewalls controllers and other devices)that are used to transport information between systems.

3. Data Protection Responsibilities

‍The CEO department is responsible for:

• Defining the security requirements controls and mechanism
• Defining the methods and guidelines used to identify and classify all data assets
• Defining the labelling requirements for all data assets
• Defining procedures for data usage processing transmission storage and disposal
• Defining the procedures necessary to ensure compliance to this policy
• Facilitating the evaluation of new regulatory requirements and best practice.

4. Management Responsibilities‍

Other departments within Cavendish Family Office (London) also have various responsibilities for ensuring  compliance with this policy, such as:

• All individuals in the department must ensure that staff complies with this policy.
• The CEO must ensure that adequate logs and audit trails are kept of all data access.
• The CEO must ensure the activation of all security mechanisms.
• The CEO is responsible for communicating business requirements and issues for business processes and the data those include to ensure their correct data classification.

The CEO is responsible for regularly evaluating the data classification schema for consistent application and use.

5. Other Responsibilities‍

Other departments and related entities have responsibilities to comply with this policy, such as:

All Cavendish Family Office (London) agents, vendors, content providers, and third party providers that process customer data must have a documented data protection policy that clearly identifies those data and other resources and the controls that are being imposed upon them.

All Cavendish Family Office (London) agents, vendors, content providers, and third party providers that access the Cavendish Family Office (London) processing environment and its data or provide content to it must have a security policy that complies with and does not contradict the Cavendish Family Office(London) data protection policy.

All agents, vendors, content providers, and third party providers must agree not to bypass any of our security requirements.

Data Classification

Data classification is necessary to enable the allocation of resources to the protection of data assets, as well as determining the potential loss or damage from the corruption, loss or disclosure of data.

To ensure the security and integrity of all data, the default classification for all data not classified by its owner must be Confidential.

The CEO is responsible for the classification of data.

The CEO is responsible for evaluating the data classification schema and reconciling it with new data types as they enter usage. It may be necessary, as we enter new business endeavours, to develop additional data classifications.

All data found in the processing environment must fall into one of the following categorie(s):PublicCompany Data – Public company data is defined as data that any entity either internal or external toCavendish Family Office (London) can access. The disclosure, use or destruction of Public company data will have limited or no adverse effects on Cavendish Family Office (London) nor carry any significant liability. (Examples of Public company data include readily available news, stock quotes, or sporting information.)

Data Ownership

In order to classify data, it is necessary that an owner be identified for all data assets. The owner of the data isMark Estcourt.

The owner of data is responsible for classifying their data according to the classification schema noted in this policy.

The CEO is responsible for developing, implementing, and maintaining procedures for identifying all data assets and associated owners.

Data collection/generation

Data will be collected in accordance with Article 13 and 14 of the GDPR, confirming to the transparency principle and ensuring that the data protection principles are duly observed.

Data may be collected in the following ways:Data gathered as a result of contracts between vendors andCavendish Family Office (London).

Each mode of data collection should have a specific purpose accompanied by one or more of the legal bases as defined in the GDPR.

Data Usage

All users that access Cavendish Family Office (London) or customer data for use must do so only in conformance to this policy. Uniquely identified, authenticated and authorised users must only access and use data.

Data should be used only for the stated purpose of its collection or generation. Any purpose outside the defined scope will be considered “misuse of data” and will entail consequences for the involved parties.

Each user must ensure that Cavendish Family Office (London) data assets under their direction or control are properly labelled and safeguarded according to their sensitivity, proprietary nature, and criticality.

Access control mechanisms must also be utilised to ensure that only authorised users can access data to which they have been granted explicit access rights.

Data Storage

The general premise for the data storage period is:

• for a time period necessary to fulfil that purpose.
• until the data subject submits a request to delete his/her data on justified ground.

All users that are responsible for the secure storage of Cavendish Family Office (London) or customer data must do so only in accordance with this policy.

Where necessary, data stored must be secured with encryption. This may include the use of confidentiality and/or integrity mechanisms. Specific cryptographic mechanisms are noted in the information security policy of Cavendish Family Office (London).

Access control mechanisms must also be utilised to ensure that only authorised users can access data to which they have been granted explicit access rights.

Data Transmission

All users that access Cavendish Family Office (London) or customer data to enable its transmission must do so only in accordance with this policy.

The media used to distribute data should be classified so that it can be identified as confidential, and if the media is sent using a courier or other delivery methods, it should be accurately tracked.

No data can be distributed in any media from a secured area without proper management approval.

Data Disposal

The CEO must develop and implement procedures to ensure the proper disposal of various types of data.These procedures must be made available to all users with access to data that requires special disposal techniques.

Data should be disposed of in a secure manner so that it is completely destroyed and no information can be obtained from the waste.

For paper records physical paper shredders will be used.

Policy Review

It is the responsibility of the CEO to facilitate the review of this policy on a regular basis. This policy will be reviewed Annually. Senior management should, at a minimum, be included in the Annually review of this policy.

Last updated: 2022-09-15