The Cayman Islands Data Protection Law – September 2019

The Data Protection Law, 2017 (DPL) came into effect in the Cayman Islands on Sept. 30, 2019. The DPL introduces a legislative framework on data protection in the Cayman Islands and has been drafted around the European Union’s General Data Protection Regulation (GDPR).

The DPL governs and defines both personal data and sensitive personal data. Personal data is any information relating to a living individual who can be directly or indirectly identified. Sensitive personal data includes genetic and health data, as well as information on racial or ethnic origins, political opinions, religious or similar beliefs, sex life, and the commission or alleged commission of an offence. The DPL applies to personal data in any format, including in automated and manual filing systems.

The DPL stipulates that businesses cease processing personal data once the purpose for which that data has been collected has been achieved. The DPL provides the following rights to individuals with respect to the privacy of their personal data:

• The right to be informed
• The right of access
• The right to rectification
• The right to stop/restrict processing
• The right to stop direct marketing
• The rights in relation to automated decision-making
• The right to seek compensation
• The right to complain

The DPL applies to any data controller that is: 1) established in the Cayman Islands and processes personal data and/or sensitive personal data; or 2) is not established in the Cayman Islands, but who processes personal data in the Cayman Islands. A data controller is any person who determines the purposes, conditions and manner in which any personal data is processed including, but not limited to, any:

• Anti-money laundering measures
• Due diligence procedures
• Regulatory obligations

In addition, the DPL applies to any data processor who is engaged by a data controller to process personal data without determining why the personal data should be processed.

Overview of the DPL

The DPL is based on eight data protection principles that provide a framework for personal data processing:

1. Personal data must be processed in a fair and lawful manner. Organizations must have valid grounds for handling personal data. Individuals should be aware of the purpose of the data collection and the data processing may not be unexpected or misleading to the individual. This should be communicated to the individual as soon as reasonably practicable, typically through a privacy notice.
2. Personal data processing is limited. It must only be processed for the purpose it was collected. Organizations should avoid reusing personal data for additional purposes. If the personal data is to be used for a new purpose, consent should be obtained from the individual.
3. Personal data collection should not be excessive. It should be adequate to fulfill the purpose, relevant to the purpose and limited to what is necessary for that purpose. Data should be periodically reviewed and destroyed when it is no longer required.
4. Personal data must be up to date and accurate. Organizations must take steps to ensure personal data is not incorrect or misleading. If information is incorrect or misleading, the data should be corrected or destroyed.
5. Personal data must not be kept for longer than necessary based on the purpose of collection. Once fulfilled, the information should be destroyed or anonymized. Where possible, a policy should be created for standard documentation retention periods.
6. Personal data should only be processed in accordance with the rights of the individual. This includes having processes in place to address requests by individuals relating to their personal data.
7. Personal data must always be secure, ensuring that the integrity and confidentiality of the information remain intact. Organizations should identify and assess the risks created by data processing and ensure security measures are in place to address these.
8. Personal data may not be transferred abroad, unless it is adequately protected. Countries that are subject to the GDPR are deemed to have an adequate level of protection. Transfers to countries not covered by the GDPR should be evaluated to assess the level and adequacy of protection present.

Compliance with the DPL

Organizations should take steps to ensure they understand their obligations under the DPL. Policies and procedures should be reviewed, evaluated and adjusted as necessary to ensure proper protection of all personal data under an organization’s control. The above protection principles should be used as the basis to assess existing policies and procedures to ensure compliance.

The DPL itself does not require an organization to appoint a Data Protection Officer (DPO); however, this may be appropriate for larger or complex organizations.

Personal data breaches

The Office of the Ombudsman maintains the responsibility for enforcing the DPL and has released a “Guide for Data Controllers” to assist in the implementation process. Any breach of the DPL should be reported to the Office of the Ombudsman and the individual affected within five days. Breaches of the DPL could result in fines of up to CI$100,000 per breach, imprisonment for a term of up to five years, or both. Other monetary penalties of up to CI$250,000 are also possible under the DPL.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.