Cayman’s Data Protection Law in force from September 2019

Published: 19 Nov 2018
Type: Insight

The Cayman Islands Data Protection Law, 2017 (“DPL”), which was expected to come into force on 29 January 2019, will now come into force in September 2019.


The DPL will regulate the future processing of all personal data in the Cayman Islands. Drafted around a set of internationally recognised privacy principles, the new law provides a framework of rights and duties designed to give individuals greater control over their personal data, and will stand as the most comprehensive data protection law in the region.

With the implementation date now set, organisations should take steps now to ensure they understand their obligations under the new law, have in place policies and procedures to ensure the proper protection of all personal data under their control and create an effective governance regime for approving, overseeing, implementing and reviewing those policies. Organisations in Cayman need to get it right – reputations and criminal liability will soon be at stake.

Overview of the DPL

The DPL provides a framework of rights and duties designed to give individuals greater control over their personal data. Importantly, the new law supports a growing expectation from international businesses and their clients that organisations operating in offshore jurisdictions have comprehensive data protection compliance requirements backed up by robust data privacy legislation. Personal data is defined widely under the law to include any data relating to a living individual. Personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the individual data subject in advance.

Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing can only be undertaken if fresh consent is obtained. Data subjects must also be informed of any countries or territories outside the Cayman Islands to which their personal data may be transferred.

Achieving compliance

The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Organisations will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.

Prescribed data retention periods are not set out in the DPL but analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.

Implementing a data protection compliance programme involves engaging with the right stakeholders across the organisation and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies. A coordinated chain of command should be developed, together with written reporting procedures, authority levels and protocols including seeking and complying with legal advice. The appointment of official roles such as a Data Protection Officer is also recommended.

The Office of the Ombudsman, which will have responsibility for enforcing the new law, has issued a Guide for Data Controllers to assist the implementation process.

Breaches of the DPL could result in fines of up to Cl$100,000 per breach, imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 are also possible under the law.

Share
More publications
Appleby-Website-Banking-and-Asset-Finance
13 Jul 2026

Guide to Loans & Secured Financing in the Cayman Islands 2026

This guide provides local insights into the legal and regulatory framework governing bank lending and finance. It covers key topics including bank loans versus debt securities, common forms of bank loan facilities, bridge financing, the roles of agents, trustees and lenders, and governing laws. It also examines the regulatory landscape, including capital, liquidity and disclosure requirements, the use of loan proceeds, cross-border lending, and interest rate and currency restrictions. In addition, the guide explores security interests and guarantees, the impact of fraudulent conveyance and similar doctrines on bank loan financing structures, intercreditor arrangements, loan terms and structures, and recent market developments.

Appleby-Website-Insolvency-and-Restructuring
9 Jul 2026

A Warning to Litigants Seeking Funding: English High Court Clarifies the Limits of Litigation Privilege

Important for Cayman litigants, funders and attorneys given the growing use of third-party funding in disputes.

Appleby-Website-Fraud-and-Asset-Tracing
8 Jul 2026

A Cautionary Tale in Interim Injunctive Relief: Lessons from Dixon v Seymour

In a recent judgment of Chief Justice Ramsay-Hale, the Cayman Grand Court provided guidance on the necessary components of an application for interim injunctive relief. The ruling illustrates how an ex parte application may fail to satisfy the American Cyanamid test when unsupported by proper evidence.

Appleby-Website-Regulatory-Practice
7 Jul 2026

CIMA’s 2026 Reinsurance Thematic Review: Focus Points for Boards

The Cayman Islands Monetary Authority (CIMA) has published its 2026 Thematic Review of Reinsurance Companies (Thematic Review). This reflects fieldwork conducted by CIMA between mid-2025 and Q1 2026 at selected Class B(iii) and Class D licensed reinsurers. The focus being on compliance with the Insurance Act (as revised) and other applicable legislation, regulations, rules and statements of guidance as issued by CIMA centering around stress-testing, cash flow testing frameworks, capital and collateral adequacy management, and corporate governance. Corporate governance weaknesses account for 68% of all findings with the remaining 32% spread across stress-testing, cash flow testing capital and collateral adequacy. Notwithstanding these findings, CIMA has noted several good practices across all areas including, importantly, comprehensive risk management frameworks covering key risk areas and strong capital and collateral adequacy monitoring processes. With Cayman’s reinsurance sector having grown to an institutional scale, and over 110 licensed reinsurers writing in the order of US$30 billion in annual premiums against over US$100 billion in assets, this latest Thematic Review demonstrates development in CIMA’s supervisory expectations of Cayman’s licensed reinsurers. It represents a reflection of the jurisdiction’s increasingly sophisticated and maturing reinsurance market and reinforces that CIMA’s expectations align closely with the standards that onshore counterparty cedants, rating agencies and US state regulators already expect. We take this opportunity to review certain of the key findings alongside CIMA’s cross-sectoral 2026 Thematic Review on Outsourcing, note some of the good practices highlighted by CIMA and make some associated recommendations for Cayman reinsurers.

Appleby-Website-Regulatory-Practice
25 Jun 2026

CIMA Enforcement Action in Focus: Reminders and Recommendations

The Cayman Islands Monetary Authority (CIMA) has recently published a number of Enforcement Notices that provide helpful context for regulated entities, including Licensees and Registered Persons under the Securities Investment Business Act (Revised) (SIBA), seeking to understand and meet their ongoing regulatory obligations in the Cayman Islands. In early June 2026, CIMA exercised its enforcement powers under SIBA Section 17 to cancel the registrations of several SIBA Registered Persons on the basis that it had reasonable grounds to believe that such Registered Persons had failed to meet certain key regulatory obligations. The Appleby Team takes this opportunity to review the relevant findings and CIMA enforcement action; and to highlight certain key obligations that attach to regulated entities in the Cayman Islands.

Appleby-Website-Regulatory-Practice
23 Jun 2026

Important Cayman Islands Industry Advisory: Common Reporting Standard 2.0 and Economic Substance Updates

Further to the introduction of the Tax Information Authority (International Tax Compliance) (Common Reporting Standard) (Amendment) Regulations, 2025 (the CRS Amendment Regulations or CRS 2.0), the Cayman Islands Department for International Tax Cooperation (DITC) has issued an Industry Advisory flagging certain key updates in respect of Common Reporting Standard (CRS) and Economic Substance (ES) reporting in the Cayman Islands. Cayman Financial Institutions will be required file 2025 CRS Returns and Declarations by 31 July 2026, ahead of the online DITC Portal’s closure to facilitate its transition to XML Schema v3.0. ES courtesy reminders (which have historically been sent by email to designated Responsible Persons in advance of annual ES reporting deadlines) will no longer be issued such that Relevant Entities will need to independently track such deadlines themselves. Updated Individual and Entity CRS Self-Certification forms, aligned with CRS 2.0, are now available online via the DITC website.

JPLs, Directors and Arbitration: Grand Court Clarifies the Scope of Provisional Liquidators' Powers
18 Jun 2026

JPLs, Directors and Arbitration: Grand Court Clarifies the Scope of Provisional Liquidators' Powers

In Peakwave Investment Management Ltd v Energy Evolution GP Ltd [2026] CIGC (FSD) 22, the Grand Court clarified the scope of joint provisional liquidators' powers following their appointment. In particular, the Court confirmed that the appointment of provisional liquidators does not automatically displace existing directors.

Appleby-Website-Cayman2
17 Jun 2026

Property, Fairness and the Constitution: The Grand Court Marks the Boundaries of Freedom of Information

The Grand Court of the Cayman Islands has overturned a decision of the Ombudsman in a successful judicial review brought by Caribbean Utilities Company, Ltd. (CUC), represented by Appleby.

JPLs, Directors and Arbitration: Grand Court Clarifies the Scope of Provisional Liquidators' Powers
28 Apr 2026

The Interplay Between Supervision Applications and Winding Up on the Just and Equitable Ground: Re Atlas Capital Markets LLC

In its recent judgment in Re Atlas Capital Markets LLC [2026] CIGC (FSD) 19, the Grand Court considered itself bound to make a supervision order pursuant to s.131(b) of the Companies Act, notwithstanding that the company was the subject of a pending just and equitable winding up (J&E) petition when its voluntary liquidation was commenced; and rejected an attack on the joint voluntary liquidators’ (JVLs) independence, which was principally based on a misreading of the JVLs’ evidence and lacked any objective foundation. The authors, who successfully represented the JVLs in obtaining the supervision order, discuss this important judgment further below – which is believed to be the first decision on the interplay between supervision applications and J&E proceedings under the Companies Act – and offer their views on the guidance that shareholders petitioning on the just and equitable ground may derive from it in future cases.  The challenge to the JVLs’ independence was rejected on the well-established principles which Doyle J discussed in Re Global Fidelity Bank [2021] 2 CILR 361, and is not discussed in further detail below.