Financial institutions should take steps now to ensure they understand their obligations under the new law, have in place policies and procedures to ensure the proper protection of all personal data under their control and create an effective governance regime for approving, overseeing, implementing and reviewing those policies. Organisations in Cayman need to get it right – reputations and criminal liability will soon be at stake.
Impact on the financial services industry
The DPL provides a framework of rights and duties designed to give individuals greater control over their personal data. Importantly, the new law supports a growing expectation from international businesses and their clients that organisations operating in offshore jurisdictions have comprehensive data protection compliance requirements backed up by robust data privacy legislation. Personal data is defined widely to include any data relating to a living individual. Under the DPL, the personal data held by the data controller must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance.
Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing can only be undertaken if fresh consent is obtained. Data subjects must also be informed of any countries or territories outside the Cayman Islands to which their personal data may be transferred .
The growing threat of cyber-crime
Offshore financial centres represent an attractive target for cyber criminals because of the large and often highly sensitive data holdings being collectively managed by those centres. As financial institutions increasingly outsource a significant part of their day-to-day operations to external service providers, these transfers also leave them vulnerable to attack. Cyber criminals can easily identify and exploit weak links in the flow of information between the organisation and its external providers.
There is no substitute for proper due diligence on the systems, policies and procedures of third party providers to ensure that personal data is handled appropriately and securely. Regular physical audits and independent testing of a service provider’s controls are advisable.
Contractual provisions should also be put in place with third party service providers to ensure any personal data is processed only for authorised purposes, all data is stored and transmitted securely and disaster recovery practices are in place in the event of a data breach. Use of unauthorised subcontractors by the service provider should be prohibited without the prior approval of the transferor. Data that may have been anonymised or aggregated by an organisation will still require careful handling. The rise of social media and the increase in online public data sources means cyber criminals are now easily able to “re-identify” individuals by combining that information with the anonymised or aggregated datasets.
Data protection, blockchain and FinTech
Financial technologies or “FinTech” are emerging technologies that have the potential to supplement or disrupt the financial services industry. As Cayman presses forward with its ambition to be a leading regional technology hub, FinTech will soon become a key point of focus, both for market participants and for regulators. FinTech solutions also raise data protection concerns that need to be carefully considered before they are adopted.
In the financial services industry, blockchain, or distributed ledger technology, is starting to be used to centralise a number of back-office and compliance functions . One of the major benefits of blockchain technology is its immutability, meaning the data stored on the chain cannot be altered or deleted.
This could also create a data protection problem, because in theory there could be no “right to be forgotten” in the context of blockchain. However, personal data can be kept off blockchain ledgers altogether by replacing the data with an encrypted reference to the data – a “hash”. These hashes or digital fingerprints prove that data did exist at a certain date, but without the data itself appearing on the chain.
Encryption controls limiting the accessibility of personal data hashed in the blockchain could be a viable solution for data protection compliance under the DPL. Encrypted personal data may still qualify as personal data under the new law as long as the holder of the data possesses the encryption key. However, if the keys will only be made available in circumstances dictated by a smart contract or by the individual data subject, then it is difficult to see the objection from a data protection perspective.
The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted.
Organisations will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.
Prescribed data retention periods are not set out in the DPL but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.
Implementing a data protection compliance programme involves engaging with the right stakeholders across the organisation and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies.
A coordinated chain of command should be developed, together with written reporting procedures, authority levels and protocols including seeking and complying with legal advice. The appointment of official roles such as a Data Protection Officer is also recommended.
The Information Commissioner will be responsible for overseeing the DPL. The Commissioner will be able to issue guidance as to compliance requirements, investigate complaints of breaches of the DPL” as well as initiate investigations on its own motion.
The approach to enforcement is expected to be administrative and consultative in nature but criminal sanctions are also available.
Refusal or failure to comply with an order issued by the Commissioner is an offence and the data controller is liable on conviction to a fine of Cl$100,000 per breach, imprisonment for a term of up to 5 years, or both. Monetary penalties of up to Cl$250,000 are also possible.
Protecting personal data is now business critical for financial institutions in Cayman. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage following a breach could be devastating.