Investment advisers and managers of private investment funds organized in the Cayman Islands should take note that on September 30, 2019, the Data Protection Law, 2017 (the “DPL”), is set to come into effect.
In general terms, this will bring the Cayman Islands into line with many other countries who have recently enacted enhanced data privacy laws, including the European Union’s GDPR. The DPL is designed to protect individuals’ data and give them greater control over its use. It is further designed to lower the administrative burden on organizations operating internationally and “to cement the Cayman Islands as an attractive jurisdiction in line with international developments.”
Overview of the DPL
The DPL applies to Cayman private investment funds where personal data regarding an individual (“data subject”) is processed by “data controllers” and/or “data processors.” Data controllers are those who determine the “purposes, conditions and manner in which any personal data are” processed, while data processors are simply those that process personal data on behalf of a data controller. For the purposes of the DPL, any private fund organized in the Cayman Islands will be a “data controller.” Other service providers to the Cayman fund, for example, the manager and/or fund administrator, may be a “data processor” and in some cases a “data controller.” The DPL applies regardless of the location of the individual (“data subject”) and also applies to corporate investors who provide personal data in relation to an individual who is connected with the corporate investor.
The DPL is built on eight principles that regulate the processing of personal data: fair and lawful processing, purpose limitation, data minimization, data accuracy, storage limitation, respect for the individual’s rights, security-integrity and confidentiality and cross-border transfers. Oversight of the DPL is the responsibility of the Cayman Islands Office of the Ombudsman.
What Do We Need to Do?
You will need to:
- Determine whether the Cayman fund’s current data privacy procedures (including data protection and retention policies) are compliant with the DPL. For example, analyzing whether the nature and amount of data collected from an individual is necessary and appropriate in relation to the purpose of the data collection.
- Review whether there are adequate policies and systems in place to handle requests by an individual for information, correction of information, or deletion of information.
- Review any of your contracts with service providers to ensure that they are written and are DPL compliant and ensure all agreements contemplate cross-border data transfer.
- Review and amend the Cayman fund’s documentation by:
- updating privacy notices and sending to investors before the date the DPL goes into effect; and
- updating subscription agreements and private placement memoranda to include language specific to the implementation of the DPL.