Protecting Personal Data – Are You Prepared?

9 June2017



Under the new Data Protection Law, gazetted on Monday, the future processing of all personal data in the Cayman Islands will be regulated. All organisations handling personal data in Cayman now need to pay close attention to data protection issues as obligations to collect personal data increase with new international data sharing regimes

"Under the new law, personal data is defined widely to include any data which enables an individual to be identified. All personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance through a privacy policy or similar notice," said Peter Colegate, a privacy and data protection specialist in the Corporate Department at Appleby.

"Personal data holdings should not be excessive in relation to the purposes for which they are collected and must be destroyed in a secure way once those purposes have been fulfilled. Organisations must also put in place appropriate technical safeguards to protect personal data from unauthorised or unlawful processing," continued Mr. Colegate.

International obligations, together with cybersecurity concerns and innovative technology deployments are making the regulation of personal data more complex than ever before. Businesses need to get it right - reputations and criminal liability will soon be at stake.

The new law, which was drafted around a set of internationally recognised privacy principles, provides a framework of rights and duties designed to give individuals greater control over their personal data. With possible criminal penalties for breaches including fines of up to $100,000 and imprisonment for 5 years the law also supports a growing expectation from international businesses and their clients that organisations operating in offshore jurisdictions have comprehensive data protection compliance requirements in place, backed up by robust data privacy legislation.

Employer Obligations

Protection of employee personal data will also be critical under the new law. Employers are required to set out the purposes for which employee personal data is being collected and details of whom that data may be shared with. Employees must also be informed of any countries or territories outside the Cayman Islands to which their personal data may be transferred. Recommended best practice would be for this information to be set out in a separate privacy notice which can be provided to the employee with their employment contract.

"A data protection policy should be tailored to an employer's business to take account of the structure of its organisation, resources and particular personal data which it may process. The policy must be communicated to employees and monitored over time to ensure compliance", said Kathryn Rowe, Senior Associate at Appleby specialising in Immigration and Employment. "Ideally, the policy should identify a compliance manager who is responsible for reviewing, implementing and monitoring compliance with the policy."

Cyber Crime

Offshore financial centres represent an attractive target for cyber criminals because of the large and often highly sensitive data holdings being collectively managed by those centres. As organisations increasingly outsource a significant part of their day-to-day operations to external service providers, these transfers also leave them vulnerable to attack. Cyber criminals can easily identify and exploit weak links in the flow of information between the organisation and its external providers.

Personal data that may have been anonymised or aggregated by an organisation will still require careful handling. "The rise of social media and the increase in online public data sources means cyber criminals are now easily able to re-identify individuals by combining that information with the anonymised or aggregated datasets," said Mr. Colegate.

"Contractual provisions should be put in place between the organisation and the third party service provider to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited," added Mr. Colegate.


Practice Areas

Subscribe to Appleby's insights