The Cayman Islands Data Protection Act, 2017

The DPA will come into effect in September 2019. The DPA is broadly based on the same internationally recognized principles that form the basis for other data protection laws around the world. The  DPA regime will protect the storage and use of personal data by those that hold it. When it comes into force, the Law will affect any individual or organisation established in the Cayman Islands which processes personal data, even where the processing is conducted outside of the Cayman Islands. Although based on the same underlying principles, clients should be mindful that the DPA is not a direct transcription of broad data protection laws such as the European Union’s ("EU") General Data Protection Regulation ("GDPR"). GDPR can apply to individuals, private or public entities, outside of Europe, including Cayman entities interacting with EU residents, but it is not a Cayman regime. Whilst it is likely that any organisation or individual which was, for example, already GDPR compliant would be compliant with the DPA clients should still undertake a detailed analysis of their systems in order to ensure compliance.

The DPA gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Organisations will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.

The DPA does not set out fixed data retention periods. Data controllers will need to decide for themselves what a suitable retention period is, depending on the nature of the data subject ant the context of the retention. Once a retention period is decided upon it will be necessary to determine the manner of deletion at the end of that period to ensure that it satisfies the requirements of the DPA.

Organisations not established in Cayman will need to appoint a local representative established in Cayman to be their data controller. The local representative can be an individual ordinarily resident in the Islands, a foreign company, a partnership or other unincorporated entity formed under the laws of the Islands, or any other person who maintains, in the Islands, an office, branch, agency or regular practice. This gives broad discretion as to who the local representative can be. The identity of the representative must be stated in the organisation’s privacy notice.

The Office of the Ombudsman is to be the Cayman Islands’ supervisory authority for data protection. The Ombudsman will gain its powers when the DPA comes into force in September 2019. The Ombudsman has published extensive guidance ahead of time in order to assist organisations to ensure compliance. As the DPA is modelled on European data protection legislation, supervisory authorities and court decisions in the European Union will be an important resource for organisations and the Ombudsman in interpreting and applying the DPA.

Breaches of the DPA could result in fines of up to Cl$100,000 (US$125,000) per breach, imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 (US$312,500) are also possible under the law.

Read our full Guidance note in PDF here: The Cayman Islands Data Protection Act, 2017.