With the implementation date now set, Cayman funds should take steps to ensure they understand their obligations under the new law. The funds should put policies and procedures in place to ensure the proper protection of all personal data under their control and create an effective governance regime for approving, overseeing, implementing and reviewing those policies. With reputations and criminal liability soon to be at stake, fund managers need to get it right.

Impact on the funds industry

Personal data is defined widely under the law to include any data relating to a living individual which allows that individual to be identified. This means that the average fund potentially generates and retains a large amount of personal data. Fund managers may also hold proprietary research and investment strategies, proprietary and personal information about markets, companies and individuals, high value email and contact lists and net worth information for individuals. Under the DPL, personal data held by the fund must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance. Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing should only be undertaken if fresh consent is obtained or there is another legal ground authorising that processing.

While it is very unlikely that a fund manager will use personal data other than for the purposes of processing an investment and meeting legitimate reporting and record keeping obligations, the fund must set out the purposes for which personal data is being collected and details of whom that data may be shared with. Recommended best practice would be for this information to be set out in a separate privacy notice which can be provided with the offering memorandum and subscription documents.

Third Party Service Providers

Operational, trading and back-office functions for most Cayman funds are now largely digitised and delegated to external service providers. In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of personal data are made to those third parties. There is no substitute for proper due diligence on the systems, policies and procedures of those providers to ensure that personal data is handled appropriately and securely. Regular physical audits and independent testing of a service provider’s controls would also be advisable.

Contractual provisions should be put in place between the fund (as the data controller) and the third party service provider (as data processor) to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach.Use of subcontractors by the service provider should be prohibited without the prior approval of the fund.

Achieving compliance

The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Funds will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.

Prescribed data retention periods are not set out in the DPL but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.

Implementing a data protection compliance programme involves engaging with the right stakeholders and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies. A coordinated chain of command should be developed, together with written reporting procedures, authority levels and protocols including seeking and complying with legal advice. The appointment of official roles such as a Data Protection Officer is also recommended.

Breaches of the DPL could result in fines of up to Cl$100,000 per breach, imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 are also possible under the law. The Office of the Ombudsman, which will have responsibility for enforcing the new law, has issued a Guide for Data Controllers to assist the implementation process.

Protecting personal data is now business critical for funds. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to a fund following a breach could be devastating.

Share
Twitter LinkedIn Email Save as PDF
More Publications
27 Sep 2022

Similar but Different

While the basic features of the trust remain, there are some notable differences in how trusts can b...

30 Aug 2022

The Cayman Islands restructuring officer regime comes into force on 31 August 2022

These new proceedings will significantly enhance the Cayman Islands restructuring regime.

4 Aug 2022

Norwich Pharmacal orders: the right medicine for third party disclosure of information and documents in the Cayman Islands

A Norwich Pharmacal order (NPO) is a disclosure order available in the Cayman Islands to compel a th...

Contributors: Susan Fallan
1 Jun 2022

The 2022 Cayman Islands Real Estate Guide

The Real Estate 2022 guide provides the latest legal information on the impact of disruptive technol...

Contributors: Norman Klein
28 Apr 2022

Restructuring the offshore debt of Chinese Real Estate Developers

This article sets out how the current regimes in the Cayman Islands and the BVI can assist with rest...

Contributors: Crystal Au-Yeung
28 Apr 2022

Assignment, novation or sub-participation of loans             

Transfers of loan portfolios between lending institutions have always been commonplace in the financ...

26 Jan 2022

Appleby contributes four chapters to Global Legal Insights – Fund Finance 2022: Cayman Islands

2021 has been an incredibly impressive year for the global subscription credit and fund finance mark...

Contributors: Georgina Pullinger
27 Oct 2021

We hope this registers! A summary of Cayman corporate and partnership registers in a finance transaction.

Because we know that it can be a little befuddling, Appleby has set out a guide to the various Cayma...

7 Oct 2021

Regulatory Round-Up: Cayman Islands Q3 2021

Appleby Cayman’s Our latest Regulatory updates for the Cayman Islands up to Q3 2021.

13 Sep 2021

Loans & Secured Financing in the Cayman Islands 2021

First published in Getting the Deal Through 2021. This practice guide provides topical analysis of L...

Contributors: Alexandra Simpson