The Cayman Islands recently implemented data protection legislation similar to that adopted elsewhere in the world, including the EU’s General Data Protection Regulation (GDPR). The GDPR forced many businesses outside its immediate jurisdiction to adopt new privacy practices, and the Cayman legislation, titled (DPL), has international implications much like those of its European counterpart.
Much like the GDPR, the DPL aims to provide individuals with more control over the use of their personal data, and to better protect this data. While there are more similarities than differences between the two, the Ombudsman of the Cayman Islands cautioned in its guidance that there are “differences between the EU legislation and the DPL which must be taken into account when interpreting the legislation.”
What is the scope of the legislation?
American investment advisers and managers of private investment funds that are established — either incorporated or registered as a foreign company — in the Cayman Islands are subject to the DPL. If the advisor or manager is not established in the Cayman Islands, but processes or controls personal or sensitive personal data in the Cayman Islands, the DPL still applies.
More specifically, the DPL applies to individuals (data subjects) whose data is processed by “data controllers” and “data processors.” Data controllers are persons or companies with the ability to decide for which purpose, and in which manner, data is collected and stored, while data processors execute those instructions. For example, a fund adviser or manager that is not registered or incorporated in the Cayman Islands, but has employees located there and thus processes protected employee data in the Cayman Islands, would be subject to the DPL as it pertained to that data.
Based on those definitions, funds established in the Cayman Islands are likely to be “data controllers,” and third parties — such as a payroll agency, outsourced compliance or a data analytics company — might be “data processors.” However, there is some overlap. The Ombudsman clarified that “a data processor may, to a certain extent, decide on how the personal data should be processed.” In that instance, the vendor or third party — such as an insurer or law firm — may actually be a joint controller and subject to the obligations imposed by the DPL on data controllers. Whether a vendor or third party is a data processor or joint controller is often situational and specific to the data type and use. Determining which role a vendor or third party plays will be important in satisfying the DPL contract-language requirements.
What data protection policies should be in place?
Data controllers subject to the DPL should review their current data privacy policies for compliance with DPL. In doing so, they should consider whether the nature and amount of data collected is necessary to meet their business objectives. Those policies should also include provisions on how to respond to requests for information or requests for correction/deletion of information.
The DPL requires that entities not in the Cayman Islands but processing personal data there must have a local representative who (i) is established in the Cayman Islands, (ii) serves as a data controller and (iii) has all the obligations the DPL imposes on a data controller.
In addition, the DPL provides that the commercial relationship between data controllers and data processors or joint controllers must be governed by a written contract. Some terms of this contract are prescribed by the DPL, so it is important to ensure the contract is compliant with the legislation. The DPL guidance includes a checklist of mandatory terms, which dictates, among other things:
- That the data processor must only act on written instructions from the controller, unless so required by law
- That the data processor must take appropriate measures to ensure data security
- The subject matter and duration of data processing
- The nature and purpose of the processing
- The type of personal data and categories of data subjects
- The obligations and rights of the controller
- That processors ensure that individuals processing the data are subject to duty of confidentiality
- That sub-processor engagement occurs only on consent of the controller and with a written contract
- That the data processor must cooperate if the data subject seeks access to their data or exercises rights under the DPL
- Breach notification requirements
- Return of data to the controller at the conclusion of the engagement
- That the data processor will submit to audits and inspections
Contracts may also address the data processor’s own obligations and liabilities under the DPL and reflect any agreed-upon indemnifications.
When handling, controlling or directing the processing of personal data subject to the DPL, the fund advisor or manager should memorialize the valid grounds for doing so and ensure that the data is secure. Being transparent with data subjects about what personal data is collected and how it is used is an important feature of the DPL. The DPL also stresses that the data collection must have a lawful basis and must be fair.
Similar to the GDPR’s emphasis on data minimization — the concept that companies keep only that data which they must — the DPL encourages companies to review the data they hold and delete that which is not needed. Personal data controlled by the company must be adequate, relevant and not excessive. One area in which the DPL differs from the GDPR is the breach notification timeline. The DPL is slightly more generous and allows for up to five days to notify a breach. Unlike the GDPR, the DPL caps monetary penalties, but allows for imprisonment of up to 5 years in the event of a violation.
Finally, investor communication is another important aspect of the transition. Since the legislation has taken effect, funds should already have reviewed and amended privacy notices for compliance with DPL and sent the revised notices to investors. Subscription agreements and private placement memoranda should also include provisions informing investors of the new privacy protections.
Compliance with this new legislation involves a thorough review of many contracts and policies, including vendor relationships that involve the transfer or sharing of personal data subject to the DPL. This review should be planned with a legal advisor. Since the DPL is part of a new area of law — one in which legislation and regulations are quickly changing at the international level — funds should closely monitor this area.