The DPL will regulate the future processing of all personal data in the Cayman Islands. Drafted around a set of internationally recognised privacy principles, the new law provides a framework of rights and duties designed to give individuals greater control over their personal data, and will stand as the most comprehensive data protection law in the region.

With the implementation date now set, organisations should take steps now to ensure they understand their obligations under the new law, have in place policies and procedures to ensure the proper protection of all personal data under their control and create an effective governance regime for approving, overseeing, implementing and reviewing those policies. Organisations in Cayman need to get it right – reputations and criminal liability will soon be at stake.

Overview of the DPL

The DPL provides a framework of rights and duties designed to give individuals greater control over their personal data. Importantly, the new law supports a growing expectation from international businesses and their clients that organisations operating in offshore jurisdictions have comprehensive data protection compliance requirements backed up by robust data privacy legislation. Personal data is defined widely under the law to include any data relating to a living individual. Personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the individual data subject in advance.

Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing can only be undertaken if fresh consent is obtained. Data subjects must also be informed of any countries or territories outside the Cayman Islands to which their personal data may be transferred.

Achieving compliance

The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Organisations will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.

Prescribed data retention periods are not set out in the DPL but analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.

Implementing a data protection compliance programme involves engaging with the right stakeholders across the organisation and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies. A coordinated chain of command should be developed, together with written reporting procedures, authority levels and protocols including seeking and complying with legal advice. The appointment of official roles such as a Data Protection Officer is also recommended.

The Office of the Ombudsman, which will have responsibility for enforcing the new law, has issued a Guide for Data Controllers to assist the implementation process.

Breaches of the DPL could result in fines of up to Cl$100,000 per breach, imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 are also possible under the law.

Share
X.com LinkedIn Email Save as PDF
More Publications
9 Oct 2024

Court of Appeal clarifies the merits threshold for the grant of freezing injunctions

What is a “good arguable case”? Alan Bercow looks at the Court of Appeal decision in Isabel dos ...

7 Oct 2024

The Global – your offshore corporate law questions answered: October 2024

The Global is a quarterly collection of corporate expert insights and analysis across Appleby's glob...

3 Oct 2024

D’Aloia v Persons Unknown: Words of Warning for Cryptoexchanges and Implications for Victims of Crypto Fraud

In a recent judgment in D’Aloia v Persons Unknown, the High Court of England and Wales provided v...

2 Oct 2024

What Are the Duties of the Anti-Money Laundering Officers of a Cayman Fund?

All Cayman Islands funds are required to designate a natural person at managerial level as their Ant...

1 Oct 2024

Preparing for a Cayman Islands Monetary Authority Inspection

One of the most common ways in which CIMA assesses compliance with its regulatory framework is throu...

26 Sep 2024

Knowledge is key: Accessory Liability for a Strict Liability Offence Clarified

Why the UK Supreme Court’s clarification in Lifestyle Equities of accessory liability of directors...

23 Sep 2024

Not a “banana republic” – Cayman Court delivers conclusive judgment on matters of forum conveniens and abuse of process

The Hon, Justice Parker delivered an informative judgment, providing helpful guidance in the areas o...

23 Sep 2024

Navigating Access to Company Information: A Guide for Shareholders and Creditors of Cayman Incorporated Companies

It is very common for shareholders of a company to seek information on the affairs of the company. A...