The law supports a growing expectation from international businesses and their clients that organisations operating in offshore jurisdictions have comprehensive data protection compliance requirements in place, backed up by robust data privacy legislation. Breaches of the new law can result in fines of up to $100,000 and five years’ imprisonment.
Under the law, obligations to collect personal data increase with new international data sharing regimes. These requirements would apply to any organisation in Cayman that handles personal data.
“Personal data holdings should not be excessive in relation to the purposes for which they are collected and must be destroyed in a secure way once those purposes have been fulfilled. Organisations must also put in place appropriate technical safeguards to protect personal data from unauthorised or unlawful processing,” he said.
Cayman employers are required to set out both the purpose for which employee personal data is collected and with whom that data may be shared. Employers must also notify employees if their personal data is transferred to any countries or territories outside of the Cayman Islands. Best practice would be for this information to be set out in a separate privacy notice which can be provided to the employee with their employment contract, the law firm states.
“A data protection policy should be tailored to an employer’s business to take account of the structure of its organisation, resources and particular personal data which it may process. The policy must be communicated to employees and monitored over time to ensure compliance,” said Kathryn Rowe, senior associate at Appleby specializing in Immigration and Employment. “Ideally, the policy should identify a compliance manager who is responsible for reviewing, implementing and monitoring compliance with the policy.”
Third-party service provider relationships
Offshore financial centers are a prime target for cybercriminals because they tend to manage large amounts of sensitive data. As organisations increasingly outsource a significant part of their day-to-day operations to external service providers, these transfers also leave them vulnerable to attack.
Cybercriminals can easily identify and exploit weak links in the flow of information between an organisation and its external providers, Appleby said.
Even personal data that has been anonymised or aggregated by an organisation will still require careful handling. “The rise of social media and the increase in online public data sources means cybercriminals are now easily able to re-identify individuals by combining that information with the anonymized or aggregated datasets,” said Mr. Colegate.
“Contractual provisions should be put in place between the organisation and the third-party service provider to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited,” Mr. Colegate added.