Drafted around a set of internationally recognised privacy principles, the new law provides a framework of rights and duties designed to give individuals greater control over their personal data. The DPL joins the Confidential Information Disclosure Law, 2016 and common law obligations of confidentiality to give the Cayman Islands the most comprehensive data protection regime in the region. 

With the implementation date less than a month away, managers of Cayman funds that have not already done so should take steps to ensure that they understand their funds’ obligations under the new law. This will include having in place policies and procedures to ensure the proper protection of all personal data under their control, as well as creating an effective governance regime for approving, overseeing, implementing and reviewing those policies. Cayman funds must get it right – reputations and criminal liability will soon be at stake.

Data protection effect on funds

“Personal data” is defined widely under the law to include any data relating to a living individual. Therefore, the average fund potentially generates and retains a large amount of personal data. Fund managers hold proprietary and personal information about markets, companies and individuals, including high-value email and contact lists and net worth information.

Under the DPL, personal data held by a fund must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance. Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing can only be undertaken if there is a legitimate purpose for doing so and if the data subject has been notified.

While it is unlikely that a fund manager will use personal data other than for the purposes of processing an investment and meeting legitimate reporting and record keeping obligations, funds must set out both the purposes for which personal data is being collected and details regarding with whom that data may be shared. The fund should disclose this information in a separate privacy notice, which can be provided with the fund’s offering memorandum and subscription documents.

Transferring Data to Third Parties

Fund managers’ operational, trading and back[1]office functions are now mostly digitised and delegated to external service providers. In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of personal data are made to third parties.

Fund managers must, therefore, conduct proper due diligence on the systems, policies and procedures of those third-party service providers to ensure that personal data is handled appropriately and securely. In addition, it is advisable for each manager to conduct regular physical audits and independent testing of a service provider’s controls.

Contractual provisions should be put in place between the fund (as the data controller) and the third-party service provider (as the data processor) to ensure that any personal data is processed only for authorised purposes; that all data is stored and transmitted securely; and that disaster-recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited without the prior approval of the fund.

Data protection Compliance for funds

The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data be corrected or deleted. Funds will need to implement policies and procedures to manage these requests.

The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted. Prescribed data-retention periods are not set out in the DPL, but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.

The Office of the Ombudsman will have responsibility for enforcing the new law and has issued a Guide for Data Controllers to assist organisations with the implementation process. Breaches of the DPL could result in fines of up to CI$100,000 per breach, imprisonment for a term of up to five years or both. Other monetary penalties of up to CI$250,000 are also possible under the law.

In addition to the enforcement powers of the Ombudsman, the DPL provides that any person who suffers damage as a result of a data controller’s breach may bring a civil claim for compensation. This means that a DPL breach could be used either as a standalone claim or as part of a litigation strategy to support a wider claim against a fund.

Implementing a new data protection compliance programme to take account of the DPL or incorporating the requirements of the DPL into an existing programme will involve ensuring that there is an effective governance regime for approving, overseeing, implementing and reviewing data-protection policies and procedures. Although the appointment of a Data Protection Officer is not mandatory under the DPL, funds are recommended to do so to ensure a coordinated chain of command and proper compliance.

Protecting personal data is increasingly business-critical for funds. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to a fund following a breach could be devastating.

First published by Hedge Fund Law Report, September 2019.

Key Contacts

Sailaja Alla

Partner: Cayman Islands

T +1 345 814 2054
E Email Sailaja

Peter Colegate

Partner, Global Head of Technology & Innovation : Cayman Islands

T +1 345 814 2745 | +1 345 324 0504
E Email Peter

Twitter LinkedIn Email Save as PDF
More Publications
16 Aug 2023

Bondholder Litigation Under the Spotlight in the Offshore Jurisdictions

Can an ultimate beneficial owner of notes file a winding up petition against the issuer? In this ar...

2 Aug 2023

Reliance on the Merger Price in Cayman Appraisal Actions

Andrew Jackson, Damon Booth, Barry Isaacs KC and Toby Brown consider the use of the merger price to ...

25 Jul 2023

Loans & Secured Financing in the Cayman Islands 2023

A Q&A guide that provides a topical analysis of loans & secured financing in the Cayman Islands.

17 Jul 2023

Re HQP Corporation Limited (in Official Liquidation) – A Lifeline for Unredeemed Investors in Cases of Substantial Corporate Fraud

Given the Cayman Islands’ status as a leading offshore financial centre and home to a very signifi...

13 Jul 2023

Grand Court takes novel approach in crypto winding up proceedings brought by retail investors

On 7 July 2023, the Honourable Justice Kawaley issued a winding-up order in the Financial Services D...

18 May 2023

The 2023 Cayman Islands Real Estate Guide

The Real Estate 2023 guide provides the latest legal information on the impact of disruptive technol...

26 Apr 2023


Segregated portfolio companies (SPCs) are frequently used in Cayman Islands (re)insurance structures...

13 Feb 2023

Offshore AML Regulation and Enforcement in the Cayman Islands

In the February 2023 edition of Financier Worldwide, Miriam Smyth answers questions about AML Regula...