Individuals, private or public entities (‘Organisations’) resident in the Cayman Islands (‘Cayman’) which do not comply with the European Union (‘EU’) General Data Protection Regulation (‘GDPR’) after 25 May 2018 may face heavy fines. Although the legislation is not part of Cayman law, it can apply to companies outside the EU, including Cayman funds with EU investors, and those working with or advising them.
What is the GDPR?
GDPR is a binding legislative act whose provisions become enforceable on 25 May 2018. It applies in its entirety across the EU and in certain circumstances applies to Organisations which are established outside the EU. The aim behind it is to protect EU citizens from improper uses of their personal data, such as privacy or data breaches by Organisations within or outside the EU. It lays down rules to protect natural persons with regard to the processing of their personal data. It goes beyond the Directive it replaces in important aspects:
- 1) it makes it clear that it can apply outside the EU;
- 2) it sets out rights of ‘data subjects’;
- 3) it also increases the clarity required in both the request for consent to process data and any consent given; and
- 4) it sets out a requirement to design systems to include data protection.
When could it apply to a Cayman Organisation?
Under Article 3.2, the GDPR applies to the ‘processing’ of ‘personal data’ of ‘data subjects’ who are in the EU by a ‘controller’ or ‘processor’ which is not established in the EU, where those processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
(b) the monitoring of their behaviour where that behaviour takes place within the EU.
What do those terms mean?
- a) 'processing’ – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means;
- b) ‘personal data’ – any information relating to an identified or identifiable natural person (‘data subject’);
- c) 'data subject’ – an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factor;
- d) ‘controller’ – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- e) ‘processor’– a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
When might it apply to my Organisation?
The GDPR applies to all Organisations which process the personal data or monitor the behaviour in the EU of data subjects who live in the EU. Under Article 2 it applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Where the GDPR applies to a controller or processor which is not established in the EU then that controller or the processor shall designate in writing a representative in one of the EU Member States where the data subjects are. However, under Article 27 this does not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of certain specified special categories of data or certain processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.
What are a data subject’s rights?
The rights of the data subject include:
- 1) Mandatory Notice of Breach – giving a data subject notice within 72 hours of any data breach which is likely to ‘result in a risk for the rights and freedoms of individuals’;
- 2) Right of access – allowing a data subject to have the controller confirm whether their personal data is being processed, where and why and be given a free electronic copy;
- 3) Right to be Forgotten – a right that the data controller erase the data subject’s personal data, stop its dissemination and processing by third parties. There are provisions to allow controllers considering these requests to compare the data subjects' rights to ‘the public interest in the availability of the data’ when considering such requests.
- 4) Right to Data Portability – a right which allows data subjects to ask a controller for data they have provided and to transmit it to another controller.
How has the consent requirement changed?
The GDPR makes it clear that both the request to the data subject for consent to process data and the consent given must be clear, in plain language, and distinguishable from other matters. It must also be as easy for the data subject to withdraw consent as it is to give it. Consent is defined as: 'any freely given, specific, informed and unambiguous indication of the data subject's wishes, by which statement or clear affirmative action, the data subject signifies agreement to the processing of personal data'. Failure to obtain the required consent would potentially attract the maximum fine (see below).
Privacy by Design as a legal requirement
The GDPR Article 25 puts the concept of designing systems to include data protection from the outset as a legal requirement. It calls for controllers to hold and process only the data absolutely necessary for the completion of their duties (data minimisation); implement appropriate technical and organisational measures (e.g. pseudonymisation); as well as limiting the access to personal data to those needing to carry out the processing.
What happens if an Organisation does not comply?
Organisations which breach the GDPR are liable to a potential maximum fine of the greater of €20m (about US$26m) or up to 4% of their annual global turnover. The GDPR’s administrative fines are designed to reflect the severity of the breach and in each case be effective, proportionate and dissuasive. The maximum fine would apply where there was a lack of sufficient customer consent to process data or of data subject rights (see below). A fine of 2% of annual global turnover would apply where records were not in order, or there is a failure to notify the supervising authority and data subject about a breach.
What should I be doing now?
If you or your Organisation hold data on any EU citizen the GDPR may apply. If so then the extent of any review of any existing systems and processes for data retrieval, management and storage, both manual and automatic may be considerable. You may need to design and set up new systems, review existing contracts and create new roles within your Organization to ensure compliance. So as soon as possible before 25 May 2018 you should consider if you should seek advice from a firm qualified to advise on EU laws and regulations, including the GDPR, to see what steps you should be taking.
Whilst we are not able to advise on matters of EU law, if you require any further information on how to get advice on how GDPR might affect a Cayman fund, then contact your usual contact at Solomon Harris or Richard Addlestone at email@example.com or Nick Reid at firstname.lastname@example.org and we can recommend a firm which can help.
The information contained in this article is necessarily brief and general in nature and does not constitute legal advice. Appropriate legal or other professional advice should be sought for any specific matter.