Data Protection in the Cayman Islands - Documentation

Jun 1, 2021

A sleek black pen with 'Walkers' branding lies atop a closed notebook, both featuring raised 'Walkers' logos.

The Cayman Islands Data Protection Act, 2017 (“DPA”) has been in effect since 30 September 2019. The Office of the Ombudsman has issued a Guide for Data Controllers which aims to explain how the Ombudsman interprets certain provisions of the DPA.

This advisory provides a brief summary of key documentary requirements in relation to the DPA. Our previous advisory provides an overview of the DPA.

The DPA requires a Cayman Islands data controller (for example, an investment fund) to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on the data controller’s behalf (for example, an administrator). The DPA deals also with data security, data breaches and the rights of individual data subjects. The DPA applies regardless of the location of the data subject or any data processor.

International financial sector businesses will find many similarities between the data protection law of the Cayman Islands and of other jurisdictions
where they are active.

Key Documentary Requirements

Key documentary measures to be implemented by data controllers are as follows:

A data controller is required to provide privacy information to data subjects, typically in the form of a privacy notice. In the case of an investment fund, this means providing all investors with a privacy notice (typically appended to the subscription agreement or, in some cases, provided to investors on a standalone basis). Walkers can draft or review an investor privacy notice and provide DPA wording for offering documents.

The Ombudsman recommends that a data controller should also have an internal data protection policy. Walkers can review or prepare an internal data protection policy.

A data controller which engages a data processor must ensure that the engagement is based on a written contract to ensure compliant processing. The contract may also need to incorporate terms to permit cross-border data transfer depending on the location of the processor and any sub-processors. In practice, data controllers will also wish to include a number of other important requirements to ensure that the data controller is in a position to comply with its own obligations. In the case of an investment fund, it should ensure that its service agreement with its administrator (or any other person that processes personal data on its behalf) complies with these requirements at the outset or, if necessary, is amended accordingly. Walkers can review agreements or prepare amendments as required.

Where clients have existing documents to comply with the data protection law of other jurisdictions, such as the EU General Data Protection Regulation, Walkers can also review and advise on whether these can be amended for use pursuant to the DPA.

Next Steps

This advisory provides a brief summary of key practical steps to be taken in relation to the DPA. The application of data protection requirements will need to be considered on a case by-case basis. Walkers’ Regulatory & Risk Advisory practice group comprises a team of dedicated specialist lawyers who will be happy to advise on all aspects of data protection requirements, including not only documentation as discussed above, but also advising on roles and responsibilities, data mapping, providing training and advising on data subject access requests and data breaches. Walkers’ Regulatory & Risk Advisory practice group is global and can also advise on data protection across our jurisdictions as required.