Cayman Data Protection Law Becomes Effective September 30, 2019

The Data Protection Law, 2017 (the “DPL”) will become effective on September 30, 2019 in the Cayman Islands. The DPL aims to provide a level of privacy and disclosure for individuals and entities when their personal data is being used by Cayman Islands entities. Certain violations of the DPL can lead to fines of up to CI$250,000 and imprisonment for up to five years. All entities organized in the Cayman Islands will be subject to the law in respect of personal information which they process. Further, they will have obligations in respect of any service providers that process and/or control the relevant personal data, regardless of jurisdiction of the service provider. In practice, the DPL will be most relevant for managers that manage feeder funds and master funds organized in the Cayman Islands.

To ensure compliance with the DPL, managers of Cayman Islands entities should:

1. Review their current data collection, use, and protection policies and practices with Cayman Islands counsel and identify gaps in compliance with the DPL.
2. Ensure that all existing contracts with service providers are DPL-compliant.
3. Update privacy notices to properly incorporate and reference the DPL. For fund managers, the privacy policy which is typically attached to the fund’s subscription agreement should be updated to ensure that new subscribers receive a DPL-compliant privacy notice, and a manager can include the DPL-compliant privacy policy on its website or otherwise distribute a letter or email with respect to such policy to alert existing investors.