The Cayman Islands Data Protection Law (DPL) comes into effect on 30 September 2019.
Anyone who falls within the definition of a “data controller” must now comply with eight data protection principles in relation to any personal data processed by the data controller. Where a data controller engages a third party (a data processor) to process personal data on its behalf, the data controller must ensure the third party complies with the eight data protection principles.
The eight data protection principles are:
- Fairness and lawfulness
- Purpose limitation
- Data minimisation
- Storage limits
- Accountability and respect of rights of data subject
- Integrity and confidentiality (security)
- International transfers
The DPL also sets out the rights of individuals to control their personal data and implements a system to protect against the misuse of personal data.
The DPL is similar to the General Data Protection Regulation (GDPR) with which many clients will be familiar.
Do I need to comply with the DPL?
You must comply with the DPL if you are a data controller that is a Cayman Islands company or partnership, a foreign company registered in the Cayman Islands or a business operating in the Cayman Islands that processes personal data in the context of being established in the Cayman Islands. The individual to which the personal data relates does not need to be in the Cayman Islands or a citizen of the Cayman Islands.
If you are a data controller that processes personal data in the Cayman Islands, regardless of where you are established, then you must also comply with the DPL and appoint a local representative.
Am I a data controller?
Data controllers determine the purposes, conditions and manner in which any personal data are processed or are to be processed. Personal data is any type of data that can be used to identify an individual.
Are there any exemptions/safe harbours?
There are exemptions from the requirement to comply with some or all of the data protection principles such as for the purposes of safeguarding national security, investigation of crime and legal professional privilege. Any exemption must be assessed on a case by case basis.
Does a Cayman Islands investment fund have to comply with the DPL?
Yes, in nearly all instances.
What do I need to do to comply with the DPL?
If you are within scope of the DPL then you must:
- Prepare a privacy notice to give to individuals to explain how you will process, use and retain their personal data
- Review your procedures to ensure the manner in which you process and retain personal data complies with the DPL and that you are able to retrieve specific personal data if requested to do so by a data subject or a relevant authority
- You may need to adopt a data processing, protection and retention policy
- If you engage a third party to process data on your behalf you will need to ensure there is a written contract for such engagement that addresses your obligations under the DPL, including any transfer of data outside of the Cayman Islands
A Cayman Islands investment fund will therefore need to:
- Send the privacy notice to existing investors on or around 30 September 2019
- Update subscription documents to include a privacy notice for new investors
- Update offering documents to reflect the new requirements under the DPL
- Update agreements with any third parties that process personal data on behalf of the fund to ensure such processing is undertaken in compliance with the DPL especially where there is transfer of data outside of the Cayman Islands
What are the penalties for breach of the DPL?
There are material financial penalties for persons that breach the DPL ranging from CI$10,000, to CI$250,000 and possible terms of imprisonment for up to five years. Unlike the GDPR, the penalties under the DPL are fixed rather than based on turnover.
Where an offence under the DPL is committed with the consent of any director, manager, secretary or similar officer of an entity then such person may also be liable for the applicable penalty.
Are there any DPL guidance notes?
The Cayman Islands supervisory authority for the DPL, the Office of the Ombudsman, has issued a Guide for Data Controllers to explain how the Office of the Ombudsman will likely interpret various provisions of the DPL. The guide is largely based on the United Kingdom’s Information Commissioner’s Office’s Guide to the GDPR and is a very useful starting point for information.
Please contact your usual Harneys representative if you would like advice on compliance with the new data protection regime in the Cayman Islands. If you have any other questions, visit harneys.com/Cayman.