How fund managers should prepare for the Cayman Islands Data Protection Law

Published: 20 Sep 2019
Type: Insight

The Cayman Islands Data Protection Law, 2017 (DPL) comes into force on 30 September 2019 and will regulate the future processing of all personal data in the Cayman Islands.


Drafted around a set of internationally recognised privacy principles, the new law provides a framework of rights and duties designed to give individuals greater control over their personal data. The DPL joins the Confidential Information Disclosure Law, 2016 and common law obligations of confidentiality to give the Cayman Islands the most comprehensive data protection regime in the region. 

With the implementation date less than a month away, managers of Cayman funds that have not already done so should take steps to ensure that they understand their funds’ obligations under the new law. This will include having in place policies and procedures to ensure the proper protection of all personal data under their control, as well as creating an effective governance regime for approving, overseeing, implementing and reviewing those policies. Cayman funds must get it right – reputations and criminal liability will soon be at stake.

Data protection effect on funds

“Personal data” is defined widely under the law to include any data relating to a living individual. Therefore, the average fund potentially generates and retains a large amount of personal data. Fund managers hold proprietary and personal information about markets, companies and individuals, including high-value email and contact lists and net worth information.

Under the DPL, personal data held by a fund must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance. Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing can only be undertaken if there is a legitimate purpose for doing so and if the data subject has been notified.

While it is unlikely that a fund manager will use personal data other than for the purposes of processing an investment and meeting legitimate reporting and record keeping obligations, funds must set out both the purposes for which personal data is being collected and details regarding with whom that data may be shared. The fund should disclose this information in a separate privacy notice, which can be provided with the fund’s offering memorandum and subscription documents.

Transferring Data to Third Parties

Fund managers’ operational, trading and back[1]office functions are now mostly digitised and delegated to external service providers. In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of personal data are made to third parties.

Fund managers must, therefore, conduct proper due diligence on the systems, policies and procedures of those third-party service providers to ensure that personal data is handled appropriately and securely. In addition, it is advisable for each manager to conduct regular physical audits and independent testing of a service provider’s controls.

Contractual provisions should be put in place between the fund (as the data controller) and the third-party service provider (as the data processor) to ensure that any personal data is processed only for authorised purposes; that all data is stored and transmitted securely; and that disaster-recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited without the prior approval of the fund.

Data protection Compliance for funds

The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data be corrected or deleted. Funds will need to implement policies and procedures to manage these requests.

The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted. Prescribed data-retention periods are not set out in the DPL, but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.

The Office of the Ombudsman will have responsibility for enforcing the new law and has issued a Guide for Data Controllers to assist organisations with the implementation process. Breaches of the DPL could result in fines of up to CI$100,000 per breach, imprisonment for a term of up to five years or both. Other monetary penalties of up to CI$250,000 are also possible under the law.

In addition to the enforcement powers of the Ombudsman, the DPL provides that any person who suffers damage as a result of a data controller’s breach may bring a civil claim for compensation. This means that a DPL breach could be used either as a standalone claim or as part of a litigation strategy to support a wider claim against a fund.

Implementing a new data protection compliance programme to take account of the DPL or incorporating the requirements of the DPL into an existing programme will involve ensuring that there is an effective governance regime for approving, overseeing, implementing and reviewing data-protection policies and procedures. Although the appointment of a Data Protection Officer is not mandatory under the DPL, funds are recommended to do so to ensure a coordinated chain of command and proper compliance.

Protecting personal data is increasingly business-critical for funds. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to a fund following a breach could be devastating.

First published by Hedge Fund Law Report, September 2019.

Share
More publications
Appleby-Website-Fraud-and-Asset-Tracing
8 Jul 2026

A Cautionary Tale in Interim Injunctive Relief: Lessons from Dixon v Seymour

In a recent judgment of Chief Justice Ramsay-Hale, the Cayman Grand Court provided guidance on the necessary components of an application for interim injunctive relief. The ruling illustrates how an ex parte application may fail to satisfy the American Cyanamid test when unsupported by proper evidence.

Appleby-Website-Regulatory-Practice
7 Jul 2026

CIMA’s 2026 Reinsurance Thematic Review: Focus Points for Boards

The Cayman Islands Monetary Authority (CIMA) has published its 2026 Thematic Review of Reinsurance Companies (Thematic Review). This reflects fieldwork conducted by CIMA between mid-2025 and Q1 2026 at selected Class B(iii) and Class D licensed reinsurers. The focus being on compliance with the Insurance Act (as revised) and other applicable legislation, regulations, rules and statements of guidance as issued by CIMA centering around stress-testing, cash flow testing frameworks, capital and collateral adequacy management, and corporate governance. Corporate governance weaknesses account for 68% of all findings with the remaining 32% spread across stress-testing, cash flow testing capital and collateral adequacy. Notwithstanding these findings, CIMA has noted several good practices across all areas including, importantly, comprehensive risk management frameworks covering key risk areas and strong capital and collateral adequacy monitoring processes. With Cayman’s reinsurance sector having grown to an institutional scale, and over 110 licensed reinsurers writing in the order of US$30 billion in annual premiums against over US$100 billion in assets, this latest Thematic Review demonstrates development in CIMA’s supervisory expectations of Cayman’s licensed reinsurers. It represents a reflection of the jurisdiction’s increasingly sophisticated and maturing reinsurance market and reinforces that CIMA’s expectations align closely with the standards that onshore counterparty cedants, rating agencies and US state regulators already expect. We take this opportunity to review certain of the key findings alongside CIMA’s cross-sectoral 2026 Thematic Review on Outsourcing, note some of the good practices highlighted by CIMA and make some associated recommendations for Cayman reinsurers.

Appleby-Website-Regulatory-Practice
25 Jun 2026

CIMA Enforcement Action in Focus: Reminders and Recommendations

The Cayman Islands Monetary Authority (CIMA) has recently published a number of Enforcement Notices that provide helpful context for regulated entities, including Licensees and Registered Persons under the Securities Investment Business Act (Revised) (SIBA), seeking to understand and meet their ongoing regulatory obligations in the Cayman Islands. In early June 2026, CIMA exercised its enforcement powers under SIBA Section 17 to cancel the registrations of several SIBA Registered Persons on the basis that it had reasonable grounds to believe that such Registered Persons had failed to meet certain key regulatory obligations. The Appleby Team takes this opportunity to review the relevant findings and CIMA enforcement action; and to highlight certain key obligations that attach to regulated entities in the Cayman Islands.

Appleby-Website-Regulatory-Practice
23 Jun 2026

Important Cayman Islands Industry Advisory: Common Reporting Standard 2.0 and Economic Substance Updates

Further to the introduction of the Tax Information Authority (International Tax Compliance) (Common Reporting Standard) (Amendment) Regulations, 2025 (the CRS Amendment Regulations or CRS 2.0), the Cayman Islands Department for International Tax Cooperation (DITC) has issued an Industry Advisory flagging certain key updates in respect of Common Reporting Standard (CRS) and Economic Substance (ES) reporting in the Cayman Islands. Cayman Financial Institutions will be required file 2025 CRS Returns and Declarations by 31 July 2026, ahead of the online DITC Portal’s closure to facilitate its transition to XML Schema v3.0. ES courtesy reminders (which have historically been sent by email to designated Responsible Persons in advance of annual ES reporting deadlines) will no longer be issued such that Relevant Entities will need to independently track such deadlines themselves. Updated Individual and Entity CRS Self-Certification forms, aligned with CRS 2.0, are now available online via the DITC website.

JPLs, Directors and Arbitration: Grand Court Clarifies the Scope of Provisional Liquidators' Powers
18 Jun 2026

JPLs, Directors and Arbitration: Grand Court Clarifies the Scope of Provisional Liquidators' Powers

In Peakwave Investment Management Ltd v Energy Evolution GP Ltd [2026] CIGC (FSD) 22, the Grand Court clarified the scope of joint provisional liquidators' powers following their appointment. In particular, the Court confirmed that the appointment of provisional liquidators does not automatically displace existing directors.

Appleby-Website-Cayman2
17 Jun 2026

Property, Fairness and the Constitution: The Grand Court Marks the Boundaries of Freedom of Information

The Grand Court of the Cayman Islands has overturned a decision of the Ombudsman in a successful judicial review brought by Caribbean Utilities Company, Ltd. (CUC), represented by Appleby.

JPLs, Directors and Arbitration: Grand Court Clarifies the Scope of Provisional Liquidators' Powers
28 Apr 2026

The Interplay Between Supervision Applications and Winding Up on the Just and Equitable Ground: Re Atlas Capital Markets LLC

In its recent judgment in Re Atlas Capital Markets LLC [2026] CIGC (FSD) 19, the Grand Court considered itself bound to make a supervision order pursuant to s.131(b) of the Companies Act, notwithstanding that the company was the subject of a pending just and equitable winding up (J&E) petition when its voluntary liquidation was commenced; and rejected an attack on the joint voluntary liquidators’ (JVLs) independence, which was principally based on a misreading of the JVLs’ evidence and lacked any objective foundation. The authors, who successfully represented the JVLs in obtaining the supervision order, discuss this important judgment further below – which is believed to be the first decision on the interplay between supervision applications and J&E proceedings under the Companies Act – and offer their views on the guidance that shareholders petitioning on the just and equitable ground may derive from it in future cases.  The challenge to the JVLs’ independence was rejected on the well-established principles which Doyle J discussed in Re Global Fidelity Bank [2021] 2 CILR 361, and is not discussed in further detail below.

Appleby-Website-Insurance-and-Reinsurance
23 Apr 2026

ReConnect 2026: Practical takeaways for Reinsurers, Cedants and Investors doing business in the Cayman Islands

The Cayman International Reinsurance Commercial Association (CIRCA) held its annual conference, [Re]Connect, last week at the Ritz-Carlton, Grand Cayman. This year’s [Re]Connect has once again demonstrated Cayman’s growing influence in global reinsurance and the strength of the jurisdiction’s regulatory, professional and commercial ecosystem. The event brought together 675 registered delegates, including reinsurers, cedants, major US law firms, audit firms, tax practices, asset managers, overseas regulators, industry leaders and rating agencies – as well as Appleby Cayman’s [Re]Insurance Team, with Miriam Smyth, Regulatory Counsel, speaking on a panel of experts on structuring, licensing and operating a Cayman insurer.

JPLs, Directors and Arbitration: Grand Court Clarifies the Scope of Provisional Liquidators' Powers
23 Apr 2026

FamilyMart and Beyond: The Continuing Influence of the Privy Council’s Landmark Decision on Shareholder Litigation

The Privy Council's decision in FamilyMart China Holding Co Ltd v Ting Chuan (Cayman Islands) Holding Corp [2023] UKPC 33 is a landmark ruling that distinguishes the arbitrability of underlying shareholder disputes from the court's exclusive jurisdiction over just and equitable winding-up of a Cayman company.

Appleby-Website-Private-Client-and-Trusts-Practice
22 Apr 2026

Regulation, Regulation, Regulation

The article discusses updates to global trust guidance and regulation, as well as beneficial ownership and the regulatory burden on trustees that comes with increased transparency.