The law supports a growing expectation from international businesses and their clients that organisations operating in offshore jurisdictions have comprehensive data protection compliance requirements in place, backed up by robust data privacy legislation. Breaches of the new law can result in fines of up to $100,000 and five years’ imprisonment.

Under the law, obligations to collect personal data increase with new international data sharing regimes. These requirements would apply to any organisation in Cayman that handles personal data.

Tortuga

Peter Colegate, a privacy and data protection specialist in the Corporate Department at Appleby, said under the new law, personal data is defined widely to include any data that allows an individual to be identified. All personal data must be processed fairly and lawfully and used for a legitimate purpose that the data subject has been notified of in advance through a privacy policy or similar notice, he said.

“Personal data holdings should not be excessive in relation to the purposes for which they are collected and must be destroyed in a secure way once those purposes have been fulfilled. Organisations must also put in place appropriate technical safeguards to protect personal data from unauthorised or unlawful processing,” he said.

Employer obligations

Cayman employers are required to set out both the purpose for which employee personal data is collected and with whom that data may be shared. Employers must also notify employees if their personal data is transferred to any countries or territories outside of the Cayman Islands. Best practice would be for this information to be set out in a separate privacy notice which can be provided to the employee with their employment contract, the law firm states.

“A data protection policy should be tailored to an employer’s business to take account of the structure of its organisation, resources and particular personal data which it may process. The policy must be communicated to employees and monitored over time to ensure compliance,” said Kathryn Rowe, senior associate at Appleby specializing in Immigration and Employment. “Ideally, the policy should identify a compliance manager who is responsible for reviewing, implementing and monitoring compliance with the policy.”

Third-party service provider relationships

Offshore financial centers are a prime target for cybercriminals because they tend to manage large amounts of sensitive data. As organisations increasingly outsource a significant part of their day-to-day operations to external service providers, these transfers also leave them vulnerable to attack.

Cybercriminals can easily identify and exploit weak links in the flow of information between an organisation and its external providers, Appleby said.

Even personal data that has been anonymised or aggregated by an organisation will still require careful handling. “The rise of social media and the increase in online public data sources means cybercriminals are now easily able to re-identify individuals by combining that information with the anonymized or aggregated datasets,” said Mr. Colegate.

“Contractual provisions should be put in place between the organisation and the third-party service provider to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited,” Mr. Colegate added.

Share
Twitter LinkedIn Email Save as PDF
More Publications
13 Sep 2021 |

Loans & Secured Financing in the Cayman Islands 2021

First published in Getting the Deal Through 2021. This practice guide provides topical analysis of L...

Contributors: Alexandra Simpson
21 May 2021 |

2021 - A Jekyll and Hyde Year for SPACs

In this article we offer our views on why this has happened and look ahead to the future for SPACs a...

Contributors: Dean Bennett
13 May 2021 |

The 2021 Cayman Islands Real Estate Guide

The Real Estate 2021 guide provides the latest legal information on the impact of disruptive technol...

Contributors: Norman Klein
13 May 2021 |

British Virgin Islands: Mergers & Acquisitions Comparative Guide

This country-specific Q&A provides an overview to Mergers & Acquisitions laws and regulati...

Contributors: Brittany Cummings
13 May 2021 |

Cayman Islands: Mergers & Acquisitions Comparative Guide

This country-specific Q&A provides an overview to Mergers & Acquisitions laws and regulati...

Contributors: Dean Bennett, Vance Power
15 Apr 2021 |

6 months on: Temporary relocation and residency by investment continues to increase in popularity

Six months on from the new digital nomad programmes, did the predicted upward trend reflect the real...

25 Mar 2021 |

Full Steam Ahead at the Jersey Ships Registry

Against a backdrop of uncertainty surrounding Brexit and the difficulties created by the global pand...

24 Mar 2021 |

Economic Substance update Q1 2021

Economic Substance update Q1 2021

12 Mar 2021 |

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...