The following information

relates to the enactment of The Cayman Islands Data Protection Law, 2017

("DPL"), which came into

effect on 30 September 2019. 

The following information relates to the enactment of The Cayman Islands

Data Protection Law, 2017 ("DPL"),

which came into effect on 30 September 2019. The DPL will regulate the

processing of all personal data in the Cayman Islands. The DPL gives individuals control over

their personal data and protects against its misuse in both public and private

sectors.

The DPL applies to “data controllers”[1] who are required to

ensure that the “personal data”[2] in respect of a “data

subject”[3] which they process, or

otherwise is processed on their behalf by a “data processor”[4], is processed in

accordance with the eight data principles prescribed under the DPL, as below:

manner and lawful manner. This means that the

data controller must inform a data subject (i) who they are and (ii) the purpose

for which the personal data will be used for. In addition, this means that

there must be a legal ground that permits the data controller to process the

personal data such as (i) the data subject has consented to the processing,

(ii) the processing is necessary for the performance of a contract to which the

data subject is a party or (iii) the processing is required under law.

was collected for. This means that a data controller is not permitted to

collect personal data for one purpose and use it for another.

necessary for the purpose. This means that the data controller must only

collect data that it needs for the purpose.

personal data must be accurate and kept up to date, as appropriate.

necessary. This means that once the personal data is no longer needed it should

be destroyed.

in accordance with the rights of the individual in mind. This means that

personal data must be processed in accordance with the rights of data subjects

prescribed under the DPL.

safe. This means that personal data must be kept safe using technical and

organizational measures to protect against, unlawful or unauthorised processing

and inadvertent harm or malicious attacks to, such personal data.

Cayman Islands unless it is adequately protected. This means that the data must

not leave the Cayman Islands and be transferred to another jurisdiction unless

such jurisdiction has equivalent levels of protection or adequate safeguards to

protect the personal data, subject to certain exceptions.

When it comes into force, the DPL will affect any individual or

organisation established in the Cayman Islands which processes personal data,

even where the processing is conducted outside of the Cayman Islands. In most

cases the DPL will only apply to a data controller if it is established in the

Cayman Islands (including any branches or agencies) and it processes personal

data in connection with such establishment. There are certain instances where a

foreign entity processes personal data in the Cayman Islands for any purpose

“other than for purposes of transit through the Cayman Islands” (for example,

where Cayman Islands residents are actively solicited by an overseas provider

of services and products). Such foreign entities will be required to nominate a

local representative in the Cayman Islands. Although based on the same

underlying principles, clients should be mindful that the DPL is not a direct

transcription of broad data protection laws such as the European Union’s

General Data Protection Regulation ("GDPR").

Whilst it is likely that any organisation or individual which was, for example,

already GDPR compliant would be compliant with the DPL you should still

undertake a detailed analysis of your systems in order to ensure compliance.

The DPL will give individuals the right to access personal data held about

them and to request that any inaccurate data is corrected or deleted. You will

need to have policies and procedures in place by 30 September 2019 to manage

these requests. The DPL will also oblige businesses to cease processing

personal data once the purposes for which that data has been collected have

been exhausted.

The DPL does not set out fixed data retention periods. If you are a data

controller then you will need to decide what a suitable retention period is,

depending on the nature of the data subject and the context of the retention.

Once a retention period is decided upon it will be necessary to determine the

manner of deletion at the end of that period to ensure that it satisfies the requirements

of the DPL.

The DPL applies directly to data controllers and not data processors.

However, where a data processor is used, the data controller must ensure that a

written contract is in place between them which requires the data processor to

act only on the instructions given by the data controller and requires the data

processor to comply with obligations equivalent to the Security – Integrity and

Confidentiality principle noted above.

The Office of the Ombudsman is to be the Cayman Islands’ supervisory

authority for data protection. The Ombudsman will gain its powers when the DPL

comes into force on 30 September 2019. The Ombudsman has published extensive

guidance ahead of time in order to assist organisations to ensure compliance.

As the DPL is modelled on GDPR, supervisory authorities and court decisions in

the European Union will be an important resource for organisations and the

Ombudsman in interpreting and applying the DPL.

One it is in force breaches of the DPL could result in fines of up to

Cl$100,000 (US$125,000) per breach, imprisonment for a term of up to 5 years,

or both. Other monetary penalties of up to Cl$250,000 (US$312,500) are also

possible under the law.

If you believe the DPL

applies to you or one of you entities or you otherwise require any further

information in relation to the DPL, please get in touch with your regular

contact at Stuarts Walker Hersant Humphries.

This publication is for general guidance and is

not intended to be a substitute for specific legal

advice. Specialist advice should be sought

about specific circumstances.

If you would like further information please

contact:

Jonathan McLean

Partner

Tel: (345) 814-7930

[email protected]

Simon Orriss

Associate

Tel: (345) 814-7931

[email protected]

[1] The DPL defines data controllers as the person who, alone or jointly with others, determines the purposes,

conditions and manner in which any personal data are, or are to be, processed.

[2] The DPL defines personal data as data relating to a living individual who can be identified and includes

data such as: (a) the living individual’s location data, online identifier or

factors specific to the…identity of the living individual; (b) an expression of

opinion about the living individual ; or (c) any indication of the intentions

of [any person]…in respect of the living individual.

[3] The DPL defines data subjects as (a) an identified living individual; or (b) a living individual who can

be identified directly or indirectly by means reasonably likely to be used by

the data controller or by any other person.

[4] The DPL defines data processor as any person who processes the data on behalf of a data controller, but

does not include an employee of the data controller.