The Data Protection Law, 2017 (DPL) came into effect in the Cayman Islands on Sept. 30, 2019. The DPL introduces a legislative framework on data protection in the Cayman Islands and has been drafted around the European Union’s General Data Protection Regulation (GDPR).
The DPL governs and defines both personal data and sensitive personal data. Personal data is any information relating to a living individual who can be directly or indirectly identified. Sensitive personal data includes genetic and health data, as well as information on racial or ethnic origins, political opinions, religious or similar beliefs, sex life, and the commission or alleged commission of an offence. The DPL applies to personal data in any format, including in automated and manual filing systems.
The DPL stipulates that businesses cease processing personal data once the purpose for which that data has been collected has been achieved. The DPL provides the following rights to individuals with respect to the privacy of their personal data:
The DPL applies to any data controller that is: 1) established in the Cayman Islands and processes personal data and/or sensitive personal data; or 2) is not established in the Cayman Islands, but who processes personal data in the Cayman Islands. A data controller is any person who determines the purposes, conditions and manner in which any personal data is processed including, but not limited to, any:
In addition, the DPL applies to any data processor who is engaged by a data controller to process personal data without determining why the personal data should be processed.
Overview of the DPL
The DPL is based on eight data protection principles that provide a framework for personal data processing:
Compliance with the DPL
Organizations should take steps to ensure they understand their obligations under the DPL. Policies and procedures should be reviewed, evaluated and adjusted as necessary to ensure proper protection of all personal data under an organization’s control. The above protection principles should be used as the basis to assess existing policies and procedures to ensure compliance.
The DPL itself does not require an organization to appoint a Data Protection Officer (DPO); however, this may be appropriate for larger or complex organizations.
Personal data breaches
The Office of the Ombudsman maintains the responsibility for enforcing the DPL and has released a “Guide for Data Controllers” to assist in the implementation process. Any breach of the DPL should be reported to the Office of the Ombudsman and the individual affected within five days. Breaches of the DPL could result in fines of up to CI$100,000 per breach, imprisonment for a term of up to five years, or both. Other monetary penalties of up to CI$250,000 are also possible under the DPL.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.