The law supports a growing expectation from international businesses and their clients that organisations operating in offshore jurisdictions have comprehensive data protection compliance requirements in place, backed up by robust data privacy legislation. Breaches of the new law can result in fines of up to $100,000 and five years’ imprisonment.

Under the law, obligations to collect personal data increase with new international data sharing regimes. These requirements would apply to any organisation in Cayman that handles personal data.


Peter Colegate, a privacy and data protection specialist in the Corporate Department at Appleby, said under the new law, personal data is defined widely to include any data that allows an individual to be identified. All personal data must be processed fairly and lawfully and used for a legitimate purpose that the data subject has been notified of in advance through a privacy policy or similar notice, he said.

“Personal data holdings should not be excessive in relation to the purposes for which they are collected and must be destroyed in a secure way once those purposes have been fulfilled. Organisations must also put in place appropriate technical safeguards to protect personal data from unauthorised or unlawful processing,” he said.

Employer obligations

Cayman employers are required to set out both the purpose for which employee personal data is collected and with whom that data may be shared. Employers must also notify employees if their personal data is transferred to any countries or territories outside of the Cayman Islands. Best practice would be for this information to be set out in a separate privacy notice which can be provided to the employee with their employment contract, the law firm states.

“A data protection policy should be tailored to an employer’s business to take account of the structure of its organisation, resources and particular personal data which it may process. The policy must be communicated to employees and monitored over time to ensure compliance,” said Kathryn Rowe, senior associate at Appleby specializing in Immigration and Employment. “Ideally, the policy should identify a compliance manager who is responsible for reviewing, implementing and monitoring compliance with the policy.”

Third-party service provider relationships

Offshore financial centers are a prime target for cybercriminals because they tend to manage large amounts of sensitive data. As organisations increasingly outsource a significant part of their day-to-day operations to external service providers, these transfers also leave them vulnerable to attack.

Cybercriminals can easily identify and exploit weak links in the flow of information between an organisation and its external providers, Appleby said.

Even personal data that has been anonymised or aggregated by an organisation will still require careful handling. “The rise of social media and the increase in online public data sources means cybercriminals are now easily able to re-identify individuals by combining that information with the anonymized or aggregated datasets,” said Mr. Colegate.

“Contractual provisions should be put in place between the organisation and the third-party service provider to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited,” Mr. Colegate added.

Twitter LinkedIn Email Save as PDF
More Publications
27 Sep 2022

Similar but Different

While the basic features of the trust remain, there are some notable differences in how trusts can b...

30 Aug 2022

The Cayman Islands restructuring officer regime comes into force on 31 August 2022

These new proceedings will significantly enhance the Cayman Islands restructuring regime.

4 Aug 2022

Norwich Pharmacal orders: the right medicine for third party disclosure of information and documents in the Cayman Islands

A Norwich Pharmacal order (NPO) is a disclosure order available in the Cayman Islands to compel a th...

Contributors: Susan Fallan
1 Jun 2022

The 2022 Cayman Islands Real Estate Guide

The Real Estate 2022 guide provides the latest legal information on the impact of disruptive technol...

Contributors: Norman Klein
28 Apr 2022

Restructuring the offshore debt of Chinese Real Estate Developers

This article sets out how the current regimes in the Cayman Islands and the BVI can assist with rest...

Contributors: Crystal Au-Yeung
28 Apr 2022

Assignment, novation or sub-participation of loans             

Transfers of loan portfolios between lending institutions have always been commonplace in the financ...

26 Jan 2022

Appleby contributes four chapters to Global Legal Insights – Fund Finance 2022: Cayman Islands

2021 has been an incredibly impressive year for the global subscription credit and fund finance mark...

Contributors: Georgina Pullinger
27 Oct 2021

We hope this registers! A summary of Cayman corporate and partnership registers in a finance transaction.

Because we know that it can be a little befuddling, Appleby has set out a guide to the various Cayma...

7 Oct 2021

Regulatory Round-Up: Cayman Islands Q3 2021

Appleby Cayman’s Our latest Regulatory updates for the Cayman Islands up to Q3 2021.

13 Sep 2021

Loans & Secured Financing in the Cayman Islands 2021

First published in Getting the Deal Through 2021. This practice guide provides topical analysis of L...

Contributors: Alexandra Simpson