The Cayman Islands Data Protection Law, 2017 (DP Law) is currently scheduled to come into effect on 30 September 2019. Once commenced, it will enact a framework of rights and duties to regulate the processing of individuals' personal data broadly based on the same internationally recognised privacy principles that form the basis for other data protection laws globally. The DP Law will regulate the processing of all personal data in the Cayman Islands and will affect any entity established in the Cayman Islands, including investment funds, that processes personal data regardless of whether such processing takes place within the Cayman Islands and regardless of whether the personal data relates to Cayman individuals. For our full briefing see Cayman Islands Data Protection Law: An Ogier Client Guide.
What does this mean for Cayman funds?
Under the DP Law, any entity established in the Cayman Islands that handles any individual's personal information will have certain obligations with respect to that information and must ensure that such individual is formally apprised of by whom, and for what purpose, any of their personal data is being used.
A Cayman fund will be regarded as a data controller under the DP Law as a 'person who, alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be, processed'. As such, the fund will be responsible for complying with the requirements of the DP Law and the data protection principles in respect of personal data processed by the fund or on behalf of the fund by any third party processors such as its administrator and other service providers (each a data processor).
Under the DP Law, data controllers must act in accordance with eight data protection principles:
- personal data held by the fund must be processed fairly and lawfully;
- personal data must be used for a legitimate purpose that has been notified to the data subject in advance;
- personal data holdings should be adequate and relevant and not be excessive in relation to the purposes for which they are collected;
- personal data held by the fund should be accurate and up to date;
- personal data should not be kept for longer than necessary and should be securely deleted once those purposes have been fulfilled;
- personal data should be processed in accordance with the rights of individuals;
- the fund should apply (and ensure that its data processors apply) appropriate technical and organisational measures in relation to the personal data; and
- personal data shall not be transferred outside of the Cayman Islands other than to a territory with an adequate level of data protection or in accordance with the DP Law.
Breaches under the DP Law could result in fines of CI $100,000 (US $122,000) and certain offences are punishable by imprisonment. Other monetary penalties of up to Cl $250,000 (US $305,000) are also possible in certain circumstances.
What action does a Cayman fund need to take to ensure compliance?
Cayman funds should act now to ensure that they comply with the DP Law by the expected commencement date of 30 September 2019. Recommended actions required include (without limitation):
- prepare and approve a new privacy notice, or amend the form of the current privacy notice, and circulate the same to existing investors;
- revise the form of subscription documents for any investors subscribing into the fund after the commencement of the DP Law on 30 September 2019;
- ensure that contracts with service providers that process personal data on behalf of the fund comply with the DP Law, and negotiate and agree on amendments if necessary; and
- ensure all amendments to fund documents are appropriately approved and authorised.