Cayman Islands's Data Protection Law (DPL) in effect from September 2019

Your guide to becoming DPL Compliant and its implications.

On 30th September 2019 strict privacy protection rules come into force in the Cayman Islands that will affect every private and public sector entity involved in processing someone’s personal information.

Are you and your website ready for the new Cayman Islands Data Protection Law (DPL)?

If you haven’t done so already, as a website owner you should take immediate steps to ensure you understand your obligations under the new Cayman Islands Data Protection Law (DPL). You must have in place policies and procedures to ensure the proper protection of all personal data under your control and create an effective governance regime for approving, overseeing, implementing and reviewing those policies.

What is the DPL?

The DPL, gazetted in 2017 and originally expected to be implemented in January 2019, will finally come into force on September 30. It was set up for the protection of personal data relating to individuals, including how such data are collected, processed, stored or transmitted, particularly regarding individual dealings with government and corporate entities.

How is this going to impact you and/or your business?

This new law will have major implications for local and international firms in the Cayman Islands, as well as for any outside entities that have data processing functions here.

How does Netclues help clients meet DPL compliance?

Netclues has been advising clients about what their online data responsibilities are under the new law and making necessary changes for them in time for its implementation. We can also help you navigate your way through this complicated landscape to ensure compliance and improve online data security and management.

Many Cayman financial and law firms will already be quite familiar with the concept of data protection laws such as the UK’s Data Protection Act and the European Union’s General Data Protection Regulation (GDPR), a unified legal basis for data protection and enforcement across its member states. But there are still many smaller local companies here that may be unfamiliar or entirely unaware of what is required.

What are the data protection and privacy requirements of DPL?

DPL provides a framework of rights and duties designed to give individuals doing business with Cayman-based organizations greater control over their personal data. It supports growing international expectations that organisations operating in offshore jurisdictions have comprehensive data protection requirements and robust data privacy laws.

The DPL operates under eight Data Protection Principles. Broadly, these are.

• Personal data shall be processed fairly. Processing must meet DPL minimum conditions that include restrictions on the processing of “sensitive personal data” such as ethnicity, political opinions, religious beliefs, trade union membership, medical data and the data subject’s sex life, without consent.
• Personal data shall be obtained only for specified lawful purposes and shall not be further processed in any manner incompatible with that purpose.
• Personal data shall be adequate, relevant and not excessive.
• Personal data shall be accurate and up to date.
• Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
• Personal data shall be processed in accordance with the rights of data subjects under this Law.
• Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction.
• Personal data shall not be transferred to a country or territory that does not ensure an adequate level of protection in relation to the processing of personal data.

What rights do individuals have over the personal data held by organizations?

Personal data is defined widely under the DPL to include any data relating to a living individual. Personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the individual data subject in advance.

The DPL gives individuals the right to access personal data held about them and to request that any inaccuracies are corrected or deleted. Organisations will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.

How does Netclues help clients handle their data management under DPL?

Netclues has all the tools and expertise necessary to help you ensure your online DPL compliance becomes a core part of your day-to-day online operations. You need to be able to set up and manage databases, a robust paper trail, saving, storing and retrieving information, lock and key security, etc.

Under the data protection law, anyone who controls personal data must provide information at the time the data is collected, including why the data is processed and how it is safeguarded. The new law also gives individuals the right to request and access their personal data held by an organization, and data controllers are given 30 days to comply.

As a result, companies need to have a system in place enabling them to find the information and report it to the individuals when requested. Here, Netclues can enable this entire process and ensure that our clients are compliant in accordance with the new law.

Under the new law, it is also important not to keep any personal data longer than necessary. While there are no prescribed time periods, organizations need to analyze how long they should maintain personal data for a specific purpose.

Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing can only be undertaken if fresh consent is obtained. Data subjects must also be informed of any countries or territories outside the Cayman Islands to which their personal data may be transferred.

Data retention periods are not set out in the DPL, but it is up to website owners to determine how long data should be kept for. It will also be necessary to evaluate how personal data can be securely deleted once the reasons for holding it have been fulfilled.

How does Netclues help clients handle their data protection?

Implementing a data protection compliance programme requires coordinated engagement with the correct stakeholders across the organisation and a governance regime for approving, overseeing, implementing and reviewing the various policies. Netclues can help here, with our thorough understanding of the new law as well as wealth of experience and expertise in online data protection and management compliance. Here are a few things your legal department can do to make your Online Presence DPL compliant:

• Implement SSL to secure sensitive data transfers
• Encrypt all the data on the website
• Separate Personally Identifiable Information in a different database
• Enable two-step verification for signups
• Help design a proper privacy policy
• Create a page for your end users to request their data be taken off your website
• Disable storing of any credit card or payment information on your servers, and more....

Does Netclues offer legal advice on DPL?

No. Netclues helps develop and implement online solutions only. We recommend that clients seek independent legal advice about specific DPL issues. What Netclues does is help put in various mechanisms in place to ensure good data practices when it comes to online world.

The Office of the Ombudsman will have responsibility for enforcing the new law, which has harsh provisions for those who mishandle data, but also has protections in place that allow organizations to make representations in their own defense. Violations of the data protection requirements can draw up to CI$250,000 in fines. The office of the ombudsman can be contacted on +1-(345)-946-6283 or by email on info@ombudsman.ky