Cayman Data Protection Law, 2017 (the "DPL") is expected to come into force on 30 September 2019 and will have an impact on how personal data can be processed by or on behalf of affected data controllers and will create rights which can be exercised against them by their data subjects. This briefing provides an outline of the main provisions of the DPL.
Who is affected?
The DPL will apply to any data controller that is established in the Cayman Islands and processes personal data in the context of that establishment and to any data controller established outside the Cayman Islands where they process personal data in the Cayman Islands otherwise than for the purposes of transit through the Cayman Islands.
A data controller is any person who determines the purposes, conditions and manner in which any personal data are processed and in the context of a Cayman fund will be the fund itself and also any service providers who use personal data collected on behalf of the fund for their own purposes including the satisfaction of their own anti-money laundering or other regulatory obligations.
Personal data is any data relating to a living individual who can be identified and might include names, residential, mailing and emailing addresses, telephone and facsimile numbers, dates and places of birth, nationalities, genders, signatures, bank account details, passports and other identification cards, tax residences, tax identification numbers and social security numbers.
Processing includes obtaining, holding, altering, using, disclosing or erasing personal data and in the context of a Cayman fund would include receiving application forms and correspondence from investors and receiving reports and correspondence from service providers.
What are the requirements?
Data controllers who are subject to the DPL are required to ensure that the personal data they process are processed fairly, for specified purposes and in accordance with data subjects' rights, that such data are adequate, accurate, secure, not excessive, retained only for so long as necessary and not transferred outside the Cayman Islands unless certain conditions are met.
Data controllers are obliged to provide privacy statements to any individuals whose personal data they process which at a minimum must include the identity of the data controller and the purposes for which the personal data are processed. Where a data controller appoints a third party to process personal data on their behalf that appointment should be in writing, provide that the data processor should only act on the documented instructions of the data controller, provide for adequate security measures to be implemented by the data processor and provide for the data processor to give assistance with responding to any exercise of rights by data subjects, audits of data protection requirements and responding to personal data breaches.
Data subjects whose personal data are processed by or on behalf of a data controller have the right to require the data controller to give them access to their personal data held, to stop direct marketing using their personal data and in certain circumstances to require that their personal data be rectified, to require the data controller to stop or to restrict processing their personal data and to require that their personal data be deleted.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data processed by or on behalf of a data controller the data controller is obliged to give notice to both the data subject and the Cayman Ombudsman of that breach. Such notice is required to be given no later than 5 days after the data controller should with the exercise of reasonable diligence, have been aware of the breach. The notice should describe the nature of the breach, its consequences, the measures proposed by the data controller to address it and the measures recommended to the data subject to mitigate its adverse effects. It will be important for all data controllers to ensure effective monitoring of their data processing for security breaches in order to meet this obligation. In the context of investment funds this should involve detailed requirements for service providers to monitor data security and assist in the handling of any personal data breaches.
Except in specific limited circumstances, where a data controller transfers personal data outside the Cayman Islands they are obliged to ensure that the jurisdictions to which such data is transferred provide an adequate level of data protection. The Cayman data protection guidance states that jurisdictions within the European Economic Area and those in respect of which an adequacy decision has been adopted by the European Commission pursuant to European data protection legislation are considered to be jurisdictions that ensure an adequate level of protection. Transfers of personal data by or on behalf of a data controller to any other jurisdictions will need to include a contractual commitment from the transferee that adequate protections will be implemented which can be achieved by the use of provisions similar to the published European standard contractual clauses to protect the privacy and integrity of personal data.
Personal data processed by or on behalf of a data controller should be deleted or anonymised after it is no longer required to be retained under applicable law or regulation. The length of time that personal data can be retained should be determined by reference to applicable contractual limitation periods and regulatory requirements which in the context of Cayman funds will be the limitation periods applicable to contracts and deeds and those set out in anti-money laundering and international tax compliance regulations.
What if I'm already compliant with GDPR?
Cayman funds that have service providers located in Europe who process their data are likely to already be compliance with the European Union's General Data Protection Regulation ("GDPR"). Complying with GDPR will have involved the provision of a notice to data subjects of the identity of the fund and potentially also the relevant service provider as data controller and the purposes for which their data is processed. The Cayman data protection guidance specifically states that a European compliant data protection agreement will be compliant under the DPL.
Is there any need for additional policies or officer appointments?
The DPL does not impose any requirements to implement data protection policies or to appoint a data protection or other officers. The Cayman data protection guidance does list a number of best practices and suggested good practices to assist affected data controllers in complying with the DPL. These include retention, information security and data breach policies and the maintenance of records relating to access, rectification and stop requests, direct marketing objections, data subject consents, legitimate interest assessments, staff training, data breaches and sources of personal data. The Cayman Ombudsman's website (https://ombudsman.ky/data-protection) also contains a useful sample record of processing activities which can be used to support the implementation of data protection compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.