With the implementation date now set, Cayman funds should take steps to ensure they understand their obligations under the new law. The funds should put policies and procedures in place to ensure the proper protection of all personal data under their control and create an effective governance regime for approving, overseeing, implementing and reviewing those policies. With reputations and criminal liability soon to be at stake, fund managers need to get it right.
Impact on the funds industry
Personal data is defined widely under the law to include any data relating to a living individual which allows that individual to be identified. This means that the average fund potentially generates and retains a large amount of personal data. Fund managers may also hold proprietary research and investment strategies, proprietary and personal information about markets, companies and individuals, high value email and contact lists and net worth information for individuals. Under the DPL, personal data held by the fund must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance. Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing should only be undertaken if fresh consent is obtained or there is another legal ground authorising that processing.
While it is very unlikely that a fund manager will use personal data other than for the purposes of processing an investment and meeting legitimate reporting and record keeping obligations, the fund must set out the purposes for which personal data is being collected and details of whom that data may be shared with. Recommended best practice would be for this information to be set out in a separate privacy notice which can be provided with the offering memorandum and subscription documents.
Third Party Service Providers
Operational, trading and back-office functions for most Cayman funds are now largely digitised and delegated to external service providers. In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of personal data are made to those third parties. There is no substitute for proper due diligence on the systems, policies and procedures of those providers to ensure that personal data is handled appropriately and securely. Regular physical audits and independent testing of a service provider’s controls would also be advisable.
Contractual provisions should be put in place between the fund (as the data controller) and the third party service provider (as data processor) to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach.Use of subcontractors by the service provider should be prohibited without the prior approval of the fund.
The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Funds will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.
Prescribed data retention periods are not set out in the DPL but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.
Implementing a data protection compliance programme involves engaging with the right stakeholders and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies. A coordinated chain of command should be developed, together with written reporting procedures, authority levels and protocols including seeking and complying with legal advice. The appointment of official roles such as a Data Protection Officer is also recommended.
Breaches of the DPL could result in fines of up to Cl$100,000 per breach, imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 are also possible under the law. The Office of the Ombudsman, which will have responsibility for enforcing the new law, has issued a Guide for Data Controllers to assist the implementation process.
Protecting personal data is now business critical for funds. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to a fund following a breach could be devastating.