Investment funds have become voracious consumers of all kinds of data. At the same time, investment funds and various industry service providers come into contact with and process a great deal of personal data – notably on their investors and employees – primarily through the course of normal operations but also through certain marketing activities and working with affiliates. See our three-part series on big data: “Its Acquisition and Proper Use” (Jan. 11, 2018); “MNPI, Web Scraping and Data Quality” (Jan. 18, 2018); and “Privacy Concerns, Third Parties and Drones” (Jan. 25, 2018). As the issue of data privacy has recently gained attention through, among other things, the Facebook and Cambridge Analytica scandal, the scope of regulation with respect to the holding and processing of personal data is expanding. The investment funds industry will not escape this focus. Managers must therefore examine their own data and privacy policies to ensure they comply with new laws and regulations. Investment funds domiciled in the Cayman Islands, in particular, must comply with the Cayman Islands Data Protection Law (DPL) and the E.U. General Data Protection Regulation (GDPR). In a guest article, Jonathan Bernstein, partner at Harneys, examines the requirements of the DPL and GDPR, as well as what fund managers can do to comply with them. For additional insight from Harneys attorneys, see “In Madoff-Related Litigation, Cayman Court of Appeal Holds That a Liquidator May Not Adjust a Shareholder’s NAV, Even When Based on Fictitious Profits” (May 17, 2018); and “Despite Fiduciary Duty Questions, Cayman LLCs Can Offer Savings and Other Advantages to Hedge Fund Managers” (Jul. 21, 2016).