Cayman Data Protection Law
1 August 2019
The DPL is modelled on European data protection legislation, the most noteworthy being the General Data Protection Regulation (GDPR) and thereby facilitates the free flow of data – which the Cayman Ombudsman notes is a pre-requisite for the Cayman Islands being an equal and competitive participant in today’s globalised economy.
The DPL is structured in a similar way to GDPR in that it defines in a very similar manner Data Controllers and Data Processors as well as a wide definition in relation to what constitutes processing of personal data. The DPL introduces eight principles (GDPR defined six within its Article 5), however, the sentiment of the legislation is consistent. One difference of note compared to GDPR is that there is no mandatory requirement for certain organisations to appoint a Data Protection Officer (DPO).
The DPL defines the Data Processor as “any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller.”
The DPL defines processing very broadly, covering any conceivable use of data. In fact, any activity which affects personal data in any way constitutes processing; mere storage or retention will constitute processing as well.
The processing of some types of personal data presents a higher risk to that person’s rights and interests. The DPL (again broadly in line with GDPR) explicitly recognises certain types of data as being “sensitive personal data”.
The eight data protection principles of the DPL as set out a framework are:
Data Controllers are responsible for ensuring that the processing of personal data is undertaken in accordance with the data protection principles.
Industry expectations are that General Partners established in Cayman will be determined to be Data Controllers for their own data and that of the Cayman Limited Partnership. Personal data being processed will typically be that of directors and officers as well as of investors/UBOs/controllers. Fund Administrators are typically classified as Data Processors and an enquiry will need to be made with the other typical service providers engaged; legal advisors, bankers and auditors. From experience in other jurisdictions, certain engaged roles of service providers will also be Data Controllers, since some of these roles require the service provider to have autonomy over data that they process.
The DPL includes a number of rights for individuals concerning their personal data, including the right to be informed, the right of access, the right of rectification, the right to stop or restrict processing and the right to stop direct marketing. These rights therefore oblige Data Controllers to have policies and procedures in place to be able to comply with the rights of individuals and requests that might be made in accordance with their rights.
The DPL introduces a duty on all Data Controllers to report personal data breaches to the Ombudsman and the individual(s) whose data was breached, unless the breach is unlikely to prejudice their rights and freedoms. The breach must be reported within five days.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data transmitted, stored or otherwise processed.”
DPL introduces a mandatory requirement for a written contract to be in place whenever a Data Controller uses a Data Processor. The contract is important so that both parties understand their responsibilities and liabilities. Data controllers remain liable for their compliance with the DPL even if the processing of personal data is delegated.
Data processors must only act on the documented instructions of a controller. Data processors that breach their contractual obligations may be liable for damages to the affected data controller. The Ombudsman has certain investigatory powers, non-compliance may lead to prosecution.
There are a host of recommended and mandatory terms that the DPL requires to be included within the contract, including:
It is envisaged that contracts between Data Controllers and Data Processors will need to be updated to comply with the above requirements and best practice.
The Guidance for Data Controllers issued by the DPL notes that, “not notifying a breach in time may cause additional damages to the individual’s whose data has been breached. Failing to notify a breach when required to do so is an offence under the DPL and can result in a conviction and a fine of one hundred thousand dollars
(CI $100, 000). Failing to notify may also be subject to a monetary penalty imposed by the Ombudsman under section 55 of the DPL.
Data Controllers whom need to comply with the DPL would be advised to undertake similar steps to Data Controllers whom had to navigate the new GDPR legislation back in 2018. Initial steps to understand and map the types and use of personal data being processed and where and by whom the processing takes place are advised. Data Controllers will also need to ensure that they have policies and procedures designed to ensure that they are able to comply with the DPL and the rights of individuals concerning their data. Contractual terms with Data Processors will need to be reviewed to ensure compliance with the new requirements. Privacy notices will typically be required as the means for Data Controllers to comply with an individual’s right to be informed.
SANNE has developed templates and checklists in line with industry best practice to assist Data Controllers, in particular the boards of General Partners (GPs) with their initial assessments of the personal data which they are responsible for and to prompt actions which need to be undertaken to comply with the new legislation. The assessments will also assist the boards in being able to conclude upon a risk-based approach to ongoing compliance. In addition, SANNE can assist GPs in the production of policies and procedures to aid their ongoing compliance with the new obligations.