Cayman Islands data protection laws and national risk assessment update

The Cayman Islands Data Protection Law, 2017 (DPL) has now been in effect for over two and a half years. The law, which went into effect Sept. 30, 2019, is under the authority of the Cayman Islands Monetary Authority’s (CIMA) Office of the Ombudsman. Subsequently, the ombudsman issued the Data Protection Act (2021 Revision) Guide for Data Controllers (DPA), which came into effect April 30, 2021. The update in CIMA’s DPA expanded requirements for entities that conduct business in the Cayman Islands, including many funds and partnerships that originally did not require annual financial report filings or were not previously under the scrutiny of previous DPL requirements.

While somewhat vague, the updated DPA strengthens the minimum standards and security measures required to be maintained relating to personal data held by businesses. To effectively manage data in compliance with the CPL, data mapping should be utilized to identify the personal data being used to conduct business, who has access to that data, and who controls and processes the data. The main responsibility lies with the data controller, who maintains personal data and ensures that it is processed per the requirements. A “data controller” is defined in the DPA as, “the person who, alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be, processed and includes a local representative.”

Data controllers must comply with eight data protection principles described in the DPA:

1. Fair and lawful processing of personal data;
2. Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is collected or processed;
4. Personal data shall be accurate and, where relevant, kept up to date;
5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose;
6. Personal data shall be processed in accordance with the rights of data subjects;
7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and
8. Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Often, data controllers use third-party servicers (e.g., fund admin, investor services provider) to process certain transactions which can include personal data. In situations where a third-party processes data, it is the responsibility of the data controller to ensure the third-party meets all minimum requirements under the DPA when processing data on the data controller’s behalf and the services terms are under a written agreement.

There are several noted legal basis that all entities/data controllers were required to implement when the law came into effect, noted in Schedule 2 of the DPA:

Consent: When the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to said data subject.

Contract with the data subject: A data controller may only rely on this legal basis for processing where the data subject is a party to the contract and such data is necessary to the contract obligation.

Legal obligations: To process personal data under this basis, a data controller must be able to identify the specific legal provision or guidance that establishes the legal obligation.

Interests of the data subject: This legal basis is only when “processing to protect vital interests” (Paragraph 4, Schedule 2 of the DPA). (For example, health records processed for medical purposes, not applicable for funds).

Public interest: “Processing necessary for exercise of public functions” (Paragraph 5, Schedule 2 of DPA). (Not applicable to fund managers.)

Legitimate interests of the data controllers: The most relevant to fund managers and has a flexible legal basis to process personal data. Applicable in circumstances where personal data processing has a minimal impact on a data subject's privacy or where there is justification for processing the subject’s personal data.

CIMA has released guidance for data controllers stating that personal data must be processed “for legitimate interests” (Paragraph 6, Schedule 2 of DPA), satisfied by a three-part test:

Purpose test: Is there a legitimate interest being pursued?

Necessity test: Is processing data necessary to achieve the purpose?

Balancing test: Does a person’s individual interests outweigh the purpose or legitimate interest?

CIMA requests more information from fund managers

In addition to enhanced personal data protection laws, CIMA expanded regulation and licensing requirements for entities based on results from the 2015 National Risk Assessment of Money Laundering and Terrorist Financing (NRA) and 2017 assessment by the Caribbean Financial Action Task Force (CFATF). The NRA determined certain activities that would qualify a person or entity as a financial institution under international anti-money laundering standards (AML) were not appropriately covered under CIMA. The CFATF found that the Cayman Islands’ licensing and supervisory framework did not cover all financial and nonfinancial activities as required. While the risk of terrorism financing is considered low, the necessary framework for detection and monitoring is critical for this assumption to be made. In response, CIMA has taken recommendations to expand requirements and the scope of those subject to the laws.

In 2020, the Cayman Islands government amended the Securities Investment Business Law by eliminating what was known as “Excluded Persons,” and requiring all entities who were acting as such to re-register with CIMA and provide ownership and control structure information. The newly registered entities are now referred to as “Registered Persons.” The new initiative should allow CIMA greater insight into the nature of the data being transferred through Cayman domiciled funds that were formerly excluded jurisdictions. This will ultimately give the country’s regulator the ability to easily monitor possible money laundering or terrorism financing (TF) movements.

The updates in personal data laws and CIMA’s initiative to collect more data and information can be seen as both positive and negative for fund managers who seek to set up entities in the Cayman Islands. These personal data protection efforts are seen to be more in line with the United Kingdom’s Data Protection Act 2018 and European Union’s General Data Protection Regulation. The update in the DPA was the first step to improving the Cayman Islands’ overall risk of corruption and money laundering. Next was to address the recommendations set out in the first NRA and CFATF. CIMA’s efforts to obtain more information and increase regulation on data is to keep up with international government AML/TF standards to decrease the risk of illegal or fraudulent activity. Additional information will assist CIMA in monitoring illegal activity and ensure the overall health of financial activities in the country. However, more regulation and scrutiny of data could deter even the most ethical fund managers from creating funds in the Cayman Islands due to the burden of increased reporting requirements. It remains to be seen if the latest laws and provisions will ultimately decrease the AML and TF risk, or whether the whole endeavor will push fund managers to launch new funds elsewhere.

For more information, read the following sources:

• CIMA
• Ombudsman
• Data Guidance