The Cayman Islands Data Protection Law, 2017 (the “DPL”) came into effect on 30 September 2019. The DPL applies to data controllers, namely persons who determine the purposes, conditions and manner in which personal data is to be processed. Personal data means data relating to a living individual (referred to as a data subject) from which that individual can be identified and includes personal information like physical address, date of birth, financial information, email address and other contact information and the like.
The DPL applies to processing carried out by data controllers established within the Cayman Islands. In certain cases, it applies to data controllers outside the Cayman Islands that process personal data within the Cayman Islands. The DPL requires a Cayman Islands data controller (e.g. an investment fund) to comply with eight data protection principles when processing personal data and to ensure compliance with those principles by any data processer (e.g. a fund administrator) who is processing personal data on the data controller’s behalf. The DPL also covers data security, data breaches and the rights of individual data subjects. The DPL applies regardless of where the data subject or the data processor is located.
Cayman Islands funds require investors to provide personal information relating to that investor (or its directors, members or beneficial owners) in order to comply with statutory and regulatory obligations (e.g. for anti-money laundering due diligence purposes, AEOI reporting and to fill out registers of members and officers) as well as to communicate with investors and make redemptions and other payments.
Some practical steps and the key documentary updates applicable to Cayman Islands investment funds, as data controllers under the Data Protection Law, include the following:
- A data controller is required to communicate certain privacy information to data subjects as soon as practicable. In the funds context, this information is usually provided to investors via a privacy notice; either annexed to the offering document or subscription agreement or by way of a separate investor communication.
- Offering documents should be updated to include a brief disclosure relating to the enactment of the DPL and its consequences.
- Subscription agreements should also be updated to include certain DPL representations to the effect that the investor has read the privacy notice and understands how the fund will process that investor’s personal data.
- A data controller will need to ensure that any contract with a data processor is compliant with DPL requirements. This is likely to require updates to the Cayman fund’s investment management agreement and its administration agreement to ensure that any such service-provider only acts in accordance with the fund’s instructions and that appropriate safeguards are in place to protect the security of the personal data being processed.
- Due diligence on the systems and policies of third party service-providers (as data processors) will need to be conducted to ensure that personal data is handled securely and that there is a data breach policy in place. It is advisable that periodic physical audits and independent testing of service-provider controls are conducted.
- Although the adoption of a formal data protection policy or the appointment of a data protection officer is not mandated under the DPL, fund managers and directors need to be aware of how personal data is processed within the fund structure and how to safeguard the rights of investors in relation to data access and data breaches. The adoption of a data protection policy and/or appointing a designated data protection officer may be helpful in addressing on-going DPL compliance.
You can download your copy of the The Cayman Islands Data Protection Law, 2017 – Funds Update here
KB Associates Services to Cayman Funds
KB Associates supports over fifty asset managers operating Cayman Islands funds via the following services:
- the provision of AIFM services to Cayman funds marketed in the EEA on a private placement basis;
- the provision of Cayman resident independent fund director services;
- the provision of money laundering reporting officer, deputy money laundering reporting officer and AML compliance officer services;
- the provision of board support services.
If you would like to discuss any issues raised in this briefing or related to KB Associates’ Cayman Islands services in general, please contact Mike Parton email@example.com or James Wauchope firstname.lastname@example.org.