The Cayman Islands Data Protection Law, 2017 (“DPL”) will come into effect on 30th September 2019 and Cayman investment funds will be deemed to be data controllers under the DPL. This applies to all funds, not just those registered with, or otherwise authorised by, the Cayman Islands Monetary Authority.
A key operational consequence of the DPL is that data breaches must be reported to the Office of the Ombudsman in the Cayman Islands within five (5) days.
Data breaches can include inadvertent breaches, such as those caused by mis-configured investor data portals, not just malicious intrusions.
Failure to notify the Office of the Ombudsman of a breach when required to do so is an offence under the DPL and can result in a conviction and a fine of approximately US$120,000.
Failure to notify may also be subject to a monetary fine imposed by the Ombudsman under Section 55 of the DPL.
As the fund is the data controller, it has the reporting and compliance responsibility, but personal data may be stored at various data processors such as the fund administrator, FATCA/CRS consultant, investment manager/adviser and the AML Compliance Officer/MLRO.
The Ombudsman recommends that a data controller should have a data protection policy and the absence of such a policy may increase the likelihood of enforcement action in the event of a data breach.
The data protection policy should conform to the eight data protection principles which can be found here:
WHAT STEPS SHOULD I TAKE?
- Establish an inventory of personal data processors;
- Ensure the fund directors are aware of their obligations under the DPL;
- Ensure the fund board approves a data protection policy that incorporates the eight data protection principles; a. The policy should clearly designate a knowledgeable person who will be responsible for receiving, reviewing any onward reporting data breaches to the Ombudsman;
- Update agreements with all fund service providers who hold personal data;
- Update fund documents with a form of privacy notice;
HOW CAN DMS HELP?
DMS can assist with points 1), 2) & 3) as set out above and can discuss with you any relevant issues. Drawing on almost 20 years of governance, risk and compliance experience in the Cayman Islands, DMS has completed many hours of specific discussions with the Office of the Ombudsman regarding the application of the DPL to the uniquely distributed infrastructure of the alternative funds industry.
Please contact your usual DMS representative to find out more or contact our team of specialized professionals below:
Alison Mitsas
The post Reporting and Responsibilities Under Cayman’s New Data Protection Law appeared first on DMS Governance.
