Drafted around a set of internationally recognised privacy principles, the new law provides a framework of rights and duties designed to give individuals greater control over their personal data. The DPL joins the Confidential Information Disclosure Law, 2016 and common law obligations of confidentiality to give the Cayman Islands the most comprehensive data protection regime in the region. 

With the implementation date less than a month away, managers of Cayman funds that have not already done so should take steps to ensure that they understand their funds’ obligations under the new law. This will include having in place policies and procedures to ensure the proper protection of all personal data under their control, as well as creating an effective governance regime for approving, overseeing, implementing and reviewing those policies. Cayman funds must get it right – reputations and criminal liability will soon be at stake.

Data protection effect on funds

“Personal data” is defined widely under the law to include any data relating to a living individual. Therefore, the average fund potentially generates and retains a large amount of personal data. Fund managers hold proprietary and personal information about markets, companies and individuals, including high-value email and contact lists and net worth information.

Under the DPL, personal data held by a fund must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance. Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing can only be undertaken if there is a legitimate purpose for doing so and if the data subject has been notified.

While it is unlikely that a fund manager will use personal data other than for the purposes of processing an investment and meeting legitimate reporting and record keeping obligations, funds must set out both the purposes for which personal data is being collected and details regarding with whom that data may be shared. The fund should disclose this information in a separate privacy notice, which can be provided with the fund’s offering memorandum and subscription documents.

Transferring Data to Third Parties

Fund managers’ operational, trading and back[1]office functions are now mostly digitised and delegated to external service providers. In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of personal data are made to third parties.

Fund managers must, therefore, conduct proper due diligence on the systems, policies and procedures of those third-party service providers to ensure that personal data is handled appropriately and securely. In addition, it is advisable for each manager to conduct regular physical audits and independent testing of a service provider’s controls.

Contractual provisions should be put in place between the fund (as the data controller) and the third-party service provider (as the data processor) to ensure that any personal data is processed only for authorised purposes; that all data is stored and transmitted securely; and that disaster-recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited without the prior approval of the fund.

Data protection Compliance for funds

The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data be corrected or deleted. Funds will need to implement policies and procedures to manage these requests.

The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted. Prescribed data-retention periods are not set out in the DPL, but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.

The Office of the Ombudsman will have responsibility for enforcing the new law and has issued a Guide for Data Controllers to assist organisations with the implementation process. Breaches of the DPL could result in fines of up to CI$100,000 per breach, imprisonment for a term of up to five years or both. Other monetary penalties of up to CI$250,000 are also possible under the law.

In addition to the enforcement powers of the Ombudsman, the DPL provides that any person who suffers damage as a result of a data controller’s breach may bring a civil claim for compensation. This means that a DPL breach could be used either as a standalone claim or as part of a litigation strategy to support a wider claim against a fund.

Implementing a new data protection compliance programme to take account of the DPL or incorporating the requirements of the DPL into an existing programme will involve ensuring that there is an effective governance regime for approving, overseeing, implementing and reviewing data-protection policies and procedures. Although the appointment of a Data Protection Officer is not mandatory under the DPL, funds are recommended to do so to ensure a coordinated chain of command and proper compliance.

Protecting personal data is increasingly business-critical for funds. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to a fund following a breach could be devastating.

First published by Hedge Fund Law Report, September 2019.

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Fund-Finance
25 Mar 2025

Rights and Liabilities of Limited Partners of Exempted Limited Partnerships in the Cayman Islands

This overview will cover key aspects of Exempted Limited Partnerships (ELPs) under Cayman Islands la...

Appleby-Website-Technology-and-Innovation
14 Mar 2025

Snapshot of Recent Updates to the Virtual Assets Regime in the Cayman Islands

The Cayman Islands Monetary Authority (CIMA) – the regulatory authority for virtual assets – has...

Appleby-Website-Cayman2
10 Mar 2025

Empowered Voices: Caymanian Women Leading the Way at Appleby

The Cayman Islands is home to a dynamic community of women helping shape the legal industry. At Appl...

IWD Grid Capture
8 Mar 2025

International Women’s Day 2025 roundtable: Rights. Equality. Empowerment.

As we recognise International Women’s Day 2025, we are reminded that gender equality is not just a...

Appleby-Website-Regulatory-Practice
27 Feb 2025

Cayman Islands Regulatory Round Up - Winter 2024/2025 edition

Welcome to the Cayman Islands Regulatory Round Up: October 2024 – February 2025 This update cov...

Appleby-Website-Corporate-Finance
20 Feb 2025

The Utility of the Share Premium Account in Cayman Islands Exempted Companies

Cayman Islands exempted companies are valued for their flexibility and ease of operation. A key com...

Appleby-Website-Mergers-and-Acquisitions
20 Feb 2025

Cayman Short Form Merger – is it a loophole?

Section 238 of the Companies Act (2025 Revision) (the “Act”) provides a statutory right for shar...

Appleby-Website-Banking-and-Financial-Services
19 Feb 2025

Recent Updates on BVI, Cayman and Bermuda laws

Entities incorporated or registered in the British Virgin Islands (BVI), Cayman Islands and Bermuda ...

Fund Finance
4 Feb 2025

Fund Finance Laws and Regulations 2025 – Cayman Islands

Appleby Cayman Islands' partners Simon Raftopoulos and Georgina Pullinger provide comprehensive insi...