The following information relates to the enactment of The Cayman Islands Data Protection Law, 2017 ("DPL"), which came into effect on 30 September 2019. The DPL will regulate the processing of all personal data in the Cayman Islands. The DPL gives individuals control over their personal data and protects against its misuse in both public and private sectors. 

 

The DPL applies to “data controllers”[1] who are required to ensure that the “personal data”[2] in respect of a “data subject”[3] which they process, or otherwise is processed on their behalf by a “data processor”[4], is processed in accordance with the eight data principles prescribed under the DPL, as below:

 

 

1.   Fair and Lawfulness Use: Personal data must be processed in both a fair manner and lawful manner. This means that the data controller must inform a data subject (i) who they are and (ii) the purpose for which the personal data will be used for. In addition, this means that there must be a legal ground that permits the data controller to process the personal data such as (i) the data subject has consented to the processing, (ii) the processing is necessary for the performance of a contract to which the data subject is a party or (iii) the processing is required under law.
2.  Purpose Limitation: Personal data may only be processed for the purpose it was collected for. This means that a data controller is not permitted to collect personal data for one purpose and use it for another.
3.   Data Minimization: Personal data should only be collected if it is necessary for the purpose. This means that the data controller must only collect data that it needs for the purpose.
4. Data Accuracy: Personal data must always be accurate. This means that personal data must be accurate and kept up to date, as appropriate.
5.    Storage Limitation: Personal data may not be kept for longer than necessary. This means that once the personal data is no longer needed it should be destroyed.
6.    Respect for the Individual’s Rights: Personal data shall only be processed in accordance with the rights of the individual in mind. This means that personal data must be processed in accordance with the rights of data subjects prescribed under the DPL.
7.    Security – Integrity and Confidentiality: Personal data must always be kept safe. This means that personal data must be kept safe using technical and organizational measures to protect against, unlawful or unauthorised processing and inadvertent harm or malicious attacks to, such personal data.
8.  International Transfers: Personal data may not be transferred outside the Cayman Islands unless it is adequately protected. This means that the data must not leave the Cayman Islands and be transferred to another jurisdiction unless such jurisdiction has equivalent levels of protection or adequate safeguards to protect the personal data, subject to certain exceptions.

 

 

When it comes into force, the DPL will affect any individual or organisation established in the Cayman Islands which processes personal data, even where the processing is conducted outside of the Cayman Islands. In most cases the DPL will only apply to a data controller if it is established in the Cayman Islands (including any branches or agencies) and it processes personal data in connection with such establishment. There are certain instances where a foreign entity processes personal data in the Cayman Islands for any purpose “other than for purposes of transit through the Cayman Islands” (for example, where Cayman Islands residents are actively solicited by an overseas provider of services and products). Such foreign entities will be required to nominate a local representative in the Cayman Islands. Although based on the same underlying principles, clients should be mindful that the DPL is not a direct transcription of broad data protection laws such as the European Union’s General Data Protection Regulation ("GDPR"). Whilst it is likely that any organisation or individual which was, for example, already GDPR compliant would be compliant with the DPL you should still undertake a detailed analysis of your systems in order to ensure compliance.

 

The DPL will give individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. You will need to have policies and procedures in place by 30 September 2019 to manage these requests. The DPL will also oblige businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.

 

The DPL does not set out fixed data retention periods. If you are a data controller then you will need to decide what a suitable retention period is, depending on the nature of the data subject and the context of the retention. Once a retention period is decided upon it will be necessary to determine the manner of deletion at the end of that period to ensure that it satisfies the requirements of the DPL.

 

The DPL applies directly to data controllers and not data processors. However, where a data processor is used, the data controller must ensure that a written contract is in place between them which requires the data processor to act only on the instructions given by the data controller and requires the data processor to comply with obligations equivalent to the Security – Integrity and Confidentiality principle noted above.

 

The Office of the Ombudsman is to be the Cayman Islands’ supervisory authority for data protection. The Ombudsman will gain its powers when the DPL comes into force on 30 September 2019. The Ombudsman has published extensive guidance ahead of time in order to assist organisations to ensure compliance. As the DPL is modelled on GDPR, supervisory authorities and court decisions in the European Union will be an important resource for organisations and the Ombudsman in interpreting and applying the DPL.

One it is in force breaches of the DPL could result in fines of up to Cl$100,000 (US$125,000) per breach, imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 (US$312,500) are also possible under the law.

 

If you believe the DPL applies to you or one of you entities or you otherwise require any further information in relation to the DPL, please get in touch with your regular contact at Stuarts Walker Hersant Humphries.

 

This publication is for general guidance and is not intended to be a substitute for specific legal

advice. Specialist advice should be sought about specific circumstances.

 

If you would like further information please contact:

 

Jonathan McLean

Partner

Tel: (345) 814-7930

[email protected]

 

Simon Orriss

Associate

Tel: (345) 814-7931

[email protected]