CAYMAN ISLANDS Law and Practice Contributed by: Sailaja Alla, Matt Mulry, Maree Martin and James Mossetto, Appleby
in the breach or to whose neglect the breach is proved to be attributable. 4.12 Data Security and Privacy for Investors Investors in funds increasingly require and demand data privacy. As obligations to collect personal data increase with new international data-sharing regimes, fund managers need to pay close attention to data protection issues. These international obligations, together with cybersecurity concerns and innovative technology deployments, are making the regulation of personal data more complex than ever before. The Data Protection Act (DPA) regulates the process - ing of all personal data in the Cayman Islands. Drafted around a set of internationally recognised privacy prin - ciples, the DPA provides a framework of rights and duties designed to give individuals greater control over their personal data. Importantly, the DPA sup - ports a growing expectation from international busi - nesses and their clients that organisations operating in offshore jurisdictions have comprehensive data pro - tection compliance requirements in place, backed up by robust data privacy legislation. Personal data is defined widely to include any data relating to a living individual. The average fund gen - erates and retains a huge amount of personal data. Fund managers may hold proprietary research and investment strategies, high-value email and contact lists, and net worth information for individuals. Under the DPA, all personal data held by the fund must be processed fairly and lawfully and be used for a legiti - mate purpose that has been notified to the data sub - ject in advance. Personal data holdings should not be excessive in relation to the purposes for which they are collected, and should be securely purged once those purposes have been fulfilled.
If personal data is processed for any new purpos - es, this processing can only be undertaken if fresh consent is obtained. Data subjects must also be informed of any countries or territories outside the Cayman Islands to which their personal data may be transferred. Recommended best practice is for this information to be set out in a separate privacy notice that can be provided with the offering document and subscription documents. Contractual provisions should be put in place between the fund (as the data controller) and the third-party service provider (as data processor) to ensure that: • any personal data is processed only for authorised purposes; • all data is stored and transmitted securely; and • disaster recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited without the prior approval of the fund. 4.13 Anticipated Changes for Investors No changes are currently anticipated.
87 CHAMBERS.COM
Powered by FlippingBook