With the implementation date now set, Cayman funds should take steps to ensure they understand their obligations under the new law. The funds should put policies and procedures in place to ensure the proper protection of all personal data under their control and create an effective governance regime for approving, overseeing, implementing and reviewing those policies. With reputations and criminal liability soon to be at stake, fund managers need to get it right.

Impact on the funds industry

Personal data is defined widely under the law to include any data relating to a living individual which allows that individual to be identified. This means that the average fund potentially generates and retains a large amount of personal data. Fund managers may also hold proprietary research and investment strategies, proprietary and personal information about markets, companies and individuals, high value email and contact lists and net worth information for individuals. Under the DPL, personal data held by the fund must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance. Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing should only be undertaken if fresh consent is obtained or there is another legal ground authorising that processing.

While it is very unlikely that a fund manager will use personal data other than for the purposes of processing an investment and meeting legitimate reporting and record keeping obligations, the fund must set out the purposes for which personal data is being collected and details of whom that data may be shared with. Recommended best practice would be for this information to be set out in a separate privacy notice which can be provided with the offering memorandum and subscription documents.

Third Party Service Providers

Operational, trading and back-office functions for most Cayman funds are now largely digitised and delegated to external service providers. In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of personal data are made to those third parties. There is no substitute for proper due diligence on the systems, policies and procedures of those providers to ensure that personal data is handled appropriately and securely. Regular physical audits and independent testing of a service provider’s controls would also be advisable.

Contractual provisions should be put in place between the fund (as the data controller) and the third party service provider (as data processor) to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach.Use of subcontractors by the service provider should be prohibited without the prior approval of the fund.

Achieving compliance

The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Funds will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.

Prescribed data retention periods are not set out in the DPL but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.

Implementing a data protection compliance programme involves engaging with the right stakeholders and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies. A coordinated chain of command should be developed, together with written reporting procedures, authority levels and protocols including seeking and complying with legal advice. The appointment of official roles such as a Data Protection Officer is also recommended.

Breaches of the DPL could result in fines of up to Cl$100,000 per breach, imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 are also possible under the law. The Office of the Ombudsman, which will have responsibility for enforcing the new law, has issued a Guide for Data Controllers to assist the implementation process.

Protecting personal data is now business critical for funds. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to a fund following a breach could be devastating.

Share
Twitter LinkedIn Email Save as PDF
More Publications
13 May 2021 |

The 2021 Cayman Islands Real Estate Guide

The Real Estate 2021 guide provides the latest legal information on the impact of disruptive technol...

Contributors: Norman Klein
13 May 2021 |

British Virgin Islands: Mergers & Acquisitions Comparative Guide

This country-specific Q&A provides an overview to Mergers & Acquisitions laws and regulati...

Contributors: Brittany Cummings
13 May 2021 |

Cayman Islands: Mergers & Acquisitions Comparative Guide

This country-specific Q&A provides an overview to Mergers & Acquisitions laws and regulati...

Contributors: Dean Bennett, Vance Power
15 Apr 2021 |

6 months on: Temporary relocation and residency by investment continues to increase in popularity

Six months on from the new digital nomad programmes, did the predicted upward trend reflect the real...

25 Mar 2021 |

Full Steam Ahead at the Jersey Ships Registry

Against a backdrop of uncertainty surrounding Brexit and the difficulties created by the global pand...

24 Mar 2021 |

Economic Substance update Q1 2021

Economic Substance update Q1 2021

12 Mar 2021 |

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...

8 Mar 2021 |

Appleby Celebrates International Women’s Day

International Women’s Day is celebrated annually in support of gender equality and equal participa...

2 Feb 2021 |

Cayman – Full steam ahead for leading funds domicile

In this article, leading offshore legal service firm Appleby, discusses some of the key regulatory c...