Cayman Islands: Data protection law "is a powerful piece of legislation"

The Data Protection Law, 2017 ('the DPL') entered, on 30 September 2019, into effect.

Jeremy Bishop/unsplash.com

The DPL applies to any data controller that is established in the Cayman Islands and that processes personal data, or that is not established but processes personal data in the territory, other than for purposes of transiting the same. A 'data controller' is defined as a person who, alone or jointly with others, determines the purposes, conditions and manner in which any personal data are, or are to be, processed. In addition, the Ombudsman is the supervisory authority responsible for enforcing the DPL.

Peter Colegate, Counsel at Appleby, told OneTrust DataGuidance, "The DPL is a powerful piece of legislation. It introduces globally recognised principles on the use of personal data to the Cayman Islands. The DPL aligns the Islands with other major jurisdictions around the world and thereby facilitates the free flow of data, a pre-requisite for the Cayman Islands being an equal and competitive participant in today's globalised economy. Moreover, the DPL provides a standard framework for both public and private entities in the management of the personal data they use […] The DPL also aims to reduce the administrative burden of operating internationally and cement the Cayman Islands as an attractive jurisdiction in line with international standards. As a result, the DPL now stands as the most comprehensive data protection law in the Caribbean region."

The DPL provides data subjects with a number of rights, including the right to receive information on, or request access to, the personal data that the data controller holds about them; the right to require a data controller to cease processing, to not begin processing, or to cease processing for a specified purpose or in a specified manner; and the right to require the data controller to ensure that no decision is based solely on the processing by automatic means of the data subject's personal data. In addition, the Ombudsman may, following receipt of a data subject complaint under Section 43 of the DPL, order a data controller to rectify, block, erase or destroy personal data, if the Ombudsman determines that the personal data in question are inaccurate.

Data controllers are ultimately responsible for the data processors who process data on their behalf

Graham J. MacLeod, Attorney at Campbells, highlighted, "The DPL is based upon the UK's Data Protection Act 2018, as well as global privacy standards which seek to regulate the processing and safeguarding of personal data, and was drafted with the specific aim of achieving adequacy status with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Whilst GDPR compliance generally equates to DPL compliance, GDPR-compliant, Cayman-established entities must also be sure to comply with Section 16 of the DPL with respect to notifying the Ombudsman in the event of a data breach […] If a business is not yet compliant with the DPL, it should focus on developing and distributing a privacy notice which explains to its clients how personal data is collected and processed […] [In addition,] [i]f a business, as a data controller, uses third party service providers (data processors) to process personal data on its behalf, then it should establish a data processing agreement which clearly defines rights, responsibilities, and liability."

The DPL stipulates that, in the event of a data breach, a data controller must, within five days of becoming aware of the breach, notify the Ombudsman and data subjects whose personal data were affected of the breach. Moreover, the breach notice must describe the nature and consequences of the breach, the measures proposed or taken to address the breach, and recommended measures to the affected data subject to mitigate the possible adverse effects of the breach. The DPL provides that a data controller who contravenes the breach notification requirements commits an offence, is liable on conviction to a fine of KYD 100,000 (approx. €111,230), and may be subject to a cause of action for damages.

MacLeod added, "One of the DPL's main challenges is that data controllers are ultimately responsible for the data processors who process data on their behalf. This is particularly important in the context of a data breach because if the processor processed personal data in accordance with the controller's instructions and a data breach arose, then the controller is held liable (unless an act or omission by the processor, which fell outside of the controller's instructions, caused or contributed to the breach). However, to help safeguard data controllers, the DPL states that where processing of personal data is carried out by a processor on behalf of the controller, the controller is not considered to be compliant with the DPL unless such processing is carried out under a written contract which stipulates that, (i) the processor only processes personal data in accordance with the controller's instructions, and (ii) the processor will establish appropriate technical and organisational measures to safeguard against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

Bart van der Geest Privacy Analyst