Cayman Data Protection Law 1 August 2019

Alt text here

Simon Vardon

Director, Product Development – Real Estate

Summary image

Cayman’s Data Protection legislation, The Data Protection Law of 2017 (DPL) takes effect from Monday, 30 September 2019 and gives individuals more control over their personal data and protects against its misuse in both public and private sectors.

This briefing note was prepared by Simon Vardon, Director, Product Development – Real Estate and Jing Jing Qian, Managing Director, Asia-Pacific.

Background

The DPL is modelled on European data protection legislation, the most noteworthy being the General Data Protection Regulation (GDPR) and thereby facilitates the free flow of data – which the Cayman Ombudsman notes is a pre-requisite for the Cayman Islands being an equal and competitive participant in today’s globalised economy. 

The DPL is structured in a similar way to GDPR in that it defines in a very similar manner Data Controllers and Data Processors as well as a wide definition in relation to what constitutes processing of personal data. The DPL introduces eight principles (GDPR defined six within its Article 5), however, the sentiment of the legislation is consistent. One difference of note compared to GDPR is that there is no mandatory requirement for certain organisations to appoint a Data Protection Officer (DPO).

Key Data Protection Law definitions

The DPL defines the Data Controller as “the person who, alone or jointly with others determines the purposes, conditions and manner in which any personal data are (or are to be), processed and includes a local representative.”

The DPL defines the Data Processor as “any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller.”

The DPL defines processing very broadly, covering any conceivable use of data. In fact, any activity which affects personal data in any way constitutes processing; mere storage or retention will constitute processing as well.

The processing of some types of personal data presents a higher risk to that person’s rights and interests. The DPL (again broadly in line with GDPR) explicitly recognises certain types of data as being “sensitive personal data”.

Core principles of the DPL

The eight data protection principles of the DPL as set out a framework are:

  • Fair and lawfulness use
  • Purpose limitation
  • Data minimization
  • Data accuracy
  • Storage limitation
  • Respect for the Individual's rights
  • Security - integrity and confidentiality
  • International transfers

Data Controllers are responsible for ensuring that the processing of personal data is undertaken in accordance with the data protection principles.

What does it mean for Cayman Funds?

Industry expectations are that General Partners established in Cayman will be determined to be Data Controllers for their own data and that of the Cayman Limited Partnership. Personal data being processed will typically be that of directors and officers as well as of investors/UBOs/controllers. Fund Administrators are typically classified as Data Processors and an enquiry will need to be made with the other typical service providers engaged; legal advisors, bankers and auditors. From experience in other jurisdictions, certain engaged roles of service providers will also be Data Controllers, since some of these roles require the service provider to have autonomy over data that they process.

Some of the most noteworthy requirements for Data Controllers to heed are:

The ability to comply with requests from data subjects

The DPL includes a number of rights for individuals concerning their personal data, including the right to be informed, the right of access, the right of rectification, the right to stop or restrict processing and the right to stop direct marketing. These rights therefore oblige Data Controllers to have policies and procedures in place to be able to comply with the rights of individuals and requests that might be made in accordance with their rights.

Personal Data Breaches

The DPL introduces a duty on all Data Controllers to report personal data breaches to the Ombudsman and the individual(s) whose data was breached, unless the breach is unlikely to prejudice their rights and freedoms. The breach must be reported within five days.

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data transmitted, stored or otherwise processed.”

Contracts

DPL introduces a mandatory requirement for a written contract to be in place whenever a Data Controller uses a Data Processor. The contract is important so that both parties understand their responsibilities and liabilities. Data controllers remain liable for their compliance with the DPL even if the processing of personal data is delegated.

Data processors must only act on the documented instructions of a controller. Data processors that breach their contractual obligations may be liable for damages to the affected data controller. The Ombudsman has certain investigatory powers, non-compliance may lead to prosecution.

There are a host of recommended and mandatory terms that the DPL requires to be included within the contract, including:

Contracts should, as a matter of good practice, include the following details:

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subject
  • The obligations and rights of the controller

Contracts should include the following terms:

  • The data processor must ensure that people processing the data are subject to a duty of confidence
  • The data processor must only engage a sub-processor with the prior consent of the data controller and a written contract
  • The data processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the DPL
  • The data processor must assist the data controller in meeting its DPL obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
  • The data processor must delete or return all personal data to the controller as requested at the end of the contract
  • The data processor must submit to audits and inspections, provide the controller with information needed to ensure that they are both meeting their legal obligations, and tell the controller immediately if it is asked to do something infringing the DPL

As a matter of good practice, contracts should also:

  • State that nothing within the contract relieves the data processor of its own direct responsibilities and liabilities under the DPL.
  • Reflect any indemnity that has been agreed.

It is envisaged that contracts between Data Controllers and Data Processors will need to be updated to comply with the above requirements and best practice.

Penalties and Fines

The Guidance for Data Controllers issued by the DPL notes that, “not notifying a breach in time may cause additional damages to the individual’s whose data has been breached. Failing to notify a breach when required to do so is an offence under the DPL and can result in a conviction and a fine of one hundred thousand dollars
(CI $100, 000). Failing to notify may also be subject to a monetary penalty imposed by the Ombudsman under section 55 of the DPL.

Summary

Data Controllers whom need to comply with the DPL would be advised to undertake similar steps to Data Controllers whom had to navigate the new GDPR legislation back in 2018. Initial steps to understand and map the types and use of personal data being processed and where and by whom the processing takes place are advised. Data Controllers will also need to ensure that they have policies and procedures designed to ensure that they are able to comply with the DPL and the rights of individuals concerning their data. Contractual terms with Data Processors will need to be reviewed to ensure compliance with the new requirements. Privacy notices will typically be required as the means for Data Controllers to comply with an individual’s right to be informed.

How can SANNE help?

SANNE has developed templates and checklists in line with industry best practice to assist Data Controllers, in particular the boards of General Partners (GPs) with their initial assessments of the personal data which they are responsible for and to prompt actions which need to be undertaken to comply with the new legislation. The assessments will also assist the boards in being able to conclude upon a risk-based approach to ongoing compliance. In addition, SANNE can assist GPs in the production of policies and procedures to aid their ongoing compliance with the new obligations.

For further information on our services please contact Simon Vardon and Jing Jing Qian.