Key Areas: Cayman Islands' Data Protection Law

How will the DPL impact you?

The Data Protection Law, 2017 (“DPL”), which was passed by the Cayman Islands’ Legislative Assembly on March 27th, 2018 came into effect on September 30th, 2019. Compliance with this new law is likely to involve modifying existing processes and the implementation of new technological measures.

What is Data Protection Law, 2017?

The DPL gives individuals control over their personal data and protects against its misuse in both public and private sectors. The DPL focuses on safeguarding the personal data of data subjects within the Cayman Islands by data controllers and data processors. Organizations must identify how the DPL may impact them. Compliance with this new law is likely to involve modifying existing processes and the implementation of new technological measures. 

Territorial Scope

The DPL will apply to processing activities of data controllers and processors established on Cayman  and those outside of Cayman, whose activities consist of targeting data subjects on Island. 

If you are not established in the Cayman Islands but you nevertheless process personal data in the Cayman Islands (other than for transit purposes), you must nominate a local representative. The local representative can be an individual resident in Cayman, a foreign company, a partnership formed under the laws of Cayman or any other person who maintains an office/branch/agency in the Islands.

Key Roles and Definitions

The Office of the Ombudsman has been established by the government to serve as the supervisory authority for data protection. 

Data Subject refers to the person to whom the personal data relates to.

Data Controller is any person or organisation who, alone or jointly with others, determines the purposes, conditions and manner in which any personal data are, or are to be, processed and includes a local representative. 

If the organization is not established in the Islands but does process personal data in the Cayman Islands (otherwise for transit purposes), a local representative must be nominated. The local representative must be established in the Cayman Islands, or is, for all purposes within the islands, the data controller and bears all obligations of the data controller under the DPL.  The Organization is also required to state the local representative in their privacy notice.

Data Processor refers to any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller. 

Personal Data means data about or relating to a living, identified or identifiable individual regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.

Sensitive Personal Data means personal data that pose a higher risk to the individual’s rights and interests and warrant an extra level of care.

Some key obligations for organizations

Respect for the Individual’s Rights
Organisations must process all personal data in accordance with the rights of the individual.  Organisations must be prepared to comply with certain requirements regarding an Individual’s rights under the DPL, in relation to their personal data and how it is processed. All organisations should be prepared to respond to the likely requests and notices they may receive and meet the statutory timelines. 

In order to respond in a timely fashion to requests and notices from individuals, Organisations should have certain information readily available, such as:

  • What personal data the organization holds, 
  • Where this personal data is kept;
  • What the legal basis is for all processing of personal data, 
  • Where the organization obtained the personal data, 
  • Who the personal data is shared with, 
  • How long the organization will keep it, and 
  • How the organization will delete/destroy it once required.

Individuals have the right to complain to the Ombudsman about any perceived violation of the DPL.  Failure of an organisaiton to respect the individual’s rights may result in an investigation by the Office of Ombudsman and/or the aggrieved individual may seek compensation for damages in the courts.  

Privacy Notice
The DPL mandates that organisations provide data subjects a privacy notice stating the purposes behind the collection and processing of the data amongst other things. It should be provided to the data subject upfront. 

Consent must be explicit and retractable. It must be provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. 

A special regime is required for children under 18 where consent will have to be given or authorized by the holder of parental responsibility over the child.

Data Breach Notification
The DPL mandates that all personal data breaches are reported to the Office of the Ombudsman and the affected individual(s) within 5 days after becoming aware of such a breach.  Notifying the Office of the Ombudsman of a data breach will be done via a “Breach Notification Form” (which is forthcoming).  Organization may also contact the Office of the Ombudsman if you are unsure of whether a breach is reportable.

Data Processors are also obligated to report data breaches to respective data controllers.

International Transfer of Personal Data
The law prohibits the international transfer of personal data where the destination does not offer an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.  This is to ensure that the level of protection guaranteed by the DPL cannot be circumvented by transferring data abroad. 

This does not mean that personal data cannot be transferred internationally, but it does require such transfers to be assessed against the DPL.  

Failure to comply with the DPL

With the enforcement date fast approaching (30 September 2019), organizations are recommended to quickly assess DPL’s applicability and initiate their readiness journey at the earliest.  Failure to comply with the DPL may result in investigations from the Office of the Ombudsman, Fines or Monetary Penalties, and liability for damages for aggrieved individuals. 

Authority of Office of Ombudsman
The Office of the Ombudsman is the Cayman Island’s supervisory authority for data protection.  Some of the enforcement authorities the Ombudsman include:

  • Hear, investigate and rule on complaints; 
  • Intervenes and delivers opinions and orders related to processing operations;
  • Gives orders on rectification, blocking, erasure, or destruction of data;
  • Imposes temporary and permanent bans on processing;
  • Engages in proceedings where there are violations, and refer violations to the appropriate authorities; and
  • Co-operates with other supervisory authorities.

The Ombudsman may also refer alleged offences to the Director of Public Prosecution for possible prosecution in the courts.

The Ombudsman will be entitled to impose fines of CI$100,000 or imprisonment for a term of 5 years or both against the Data Controller. Monetary penalties of up to CI$250,000 may also be issued. 

Liability for Damages for an Aggrieved Individual
An individual has the right to complain to the Ombudsman about any perceived violation of the DPL, in relation to personal data processing that has not been or is not being carried out in compliance with the provisions of the DPL, or anything done pursuant to the DPL.  An individual may seek compensation for damages suffered due to contravention of the DPL through the courts.  

For more information on the Data Protection Law, visit the Office of the Ombudsman website here.

How Deloitte can help

Deloitte has a dedicated team of privacy specialists, with deep expertise in leading privacy programmes across large scale and complex organizations, embedding change.

  • Comprehensive DPL readiness assessment and compliance roadmap
  • Privacy Impact Assessment (PIA)
  • Personal data breach investigation and management
  • Incident response and forensic investigation support
  • Privacy by Design control framework
  • Data discovery, mapping and inventories
  • Policy analysis and design (such as Privacy policies & procedures, guidelines, privacy notices, cross border transfer mechanisms)
  • Regulatory liaison advice
  • DPL Technology Impact & Compliance Assessments
  • Privacy Risk and Compliance training

Source: Content featured on this page is based on Deloitte research from the Office of the Ombudsman website.

Did you find this useful?