Cayman Funds: Preparing for New Data Protection Laws
The Cayman Islands Data Protection Law, 2017 (DPL), comes into force on 30 September 2019 and will regulate the future processing of all personal data in the Cayman Islands.
Below Lawyer Monthly hears from Peter Colegate, a Cayman-based member of the Privacy & Data Protection group at Appleby, on the impending implications of the new data laws and what this means for the future of personal data in the Cayman Islands.
Drafted around a set of internationally recognised privacy principles, the new law provides a framework of rights and duties designed to give individuals greater control over their personal data and will stand as the most comprehensive data protection regime in the Caribbean region.
Protecting personal data is becoming increasingly more important and business critical for funds. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to a fund following a breach could be devastating.
Preparing for the DPL
Cayman funds should take steps now to ensure they understand their obligations under the new law. This will include having policies and procedures in place to ensure the proper protection of all personal data under their control.
Under the DPL, any personal data held by a fund must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance. Fund personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely destroyed once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing can only be undertaken if there is a legitimate purpose for doing so, which has been notified to the data subject. Recommended best practice would be for this information to be set out in a separate privacy notice which can be provided to investors with the fund offering memorandum and subscription documents.
Transferring personal data to third parties
Contractual provisions should be put in place between the fund (as the data controller) and the third party service provider (as data processor) to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited without the prior approval of the fund.
For service providers who exercise a high degree of autonomy in the handling of personal data they receive, they may also be joint controllers of that data with the fund. Examples may include fund management or compliance/MLRO services. In those circumstances, the fund should put in place a joint controller agreement with the service provider.
Data subject rights
The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Funds will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted. Prescribed data retention periods are not set out in the DPL but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.
The Office of the Ombudsman will have responsibility for enforcing the DPL and has issued a Guide for Data Controllers to assist organisations with the implementation process. Breaches of the DPL could result in fines of up to Cl$100,000 per breach, imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 are also possible under the law.