Cayman Islands Data Protection Law – Obligations for Cayman Islands Businesses
28 January 2021
This briefing provides a summary of the main provisions of the Cayman Islands Data Protection Law, 2017 (the "Law") and highlights some important obligations and compliance steps.
It is not intended as legal advice. Please contact Bedell Cristin if you would like specific advice on how the Law applies to your business.
Rational and summary of the Law
The Law regulates the processing of all personal data in the Cayman Islands and sets out certain duties of those holding personal data, together with the Confidential Information Disclosure Law, 2016.
The Law applies to 'personal data' of a 'data subject' that is 'processed' by 'data controllers' or 'data processers'. The definitions are broad such that it is extremely likely that a business will fall under the parameters of the data protection framework. Should you fall within the framework you must comply with the eight data protection principles; the detail of which is below. Very broadly, as a Cayman Islands entity should you fall with the 'data controller' or 'data processer' you should be looking to undertake the seven compliance steps, again, the detail of which is below.
The distinction on 'data controller' or 'data processer' is an important one and therefore should be analysed on an individual basis. All 'data controllers' are required to comply with the data protection principles relating to the personal data that the 'data controller' processes. 'Data controllers' are also required to ensure that third parties comply with the data protection principles should such third parties process the personal data on the 'data controller's' behalf.
Requirements of the Law
The Law applies to any legal or natural person that processes "personal data". Personal Data is defined in the Law as any "data relating to a living individual who can be identified" (referred to in the Law as "data subjects").
The definition specifically includes: (i) location data, online identifiers or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual; (ii) an expression of opinion about the individual; and (iii) any indication of the intentions of the data controller or any other person in respect of the individual.
There is an additional category of "sensitive personal data" which is subject to greater restrictions and is described in more detail in the "frequently asked questions" section below.
"Processing" is defined very broadly. If you are doing anything with personal data, including the act of collecting or deleting it, you will be "processing" it for the purposes of the Law.
If your organisation processes personal data you will either be a "data controller" or a "data processor" in respect of that data. The data controller is the person or entity that determines how the personal data will be processed, and a data processor is any person or entity that processes it on behalf of the data controller (but does not include an employee of a data controller).
Most organisations will be a data controller in respect of at least some personal data but may be a data processor of other personal data. The distinction is important, as the data controller has liability for the actions of a data processor in many circumstances.
Data controllers must comply with eight data protection principles set out in schedule 1 of the Law:
- personal data shall be processed fairly and only in specific circumstances;
- personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
- personal data shall be adequate, relevant and not excessive in relation to the purpose of purposes for which it is collected or processed;
- personal data shall be accurate and, where relevant, kept up to date;
- personal data processed for any purpose shall not be kept for longer than is necessary for that purpose;
- personal data shall be processed in accordance with the rights of data subjects;
- appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and
- personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The Law provides specific rights to data subjects, including the right to certain information from a data controller and the right to access personal data held by a data controller (an "access request")
The supervising authority for data protection in the Cayman Islands is the Office of the Ombudsman The Ombudsman's website contains guidance and useful compliance resources. Within the Ombudsman, the Cayman Islands Information Commissioner has responsibility for taking action, including receiving complaints and instigating proceedings against Data Controllers for breaches of the Law.
Set out below are seven compliance steps that every business in Cayman should be undertaking, at a minimum, to comply with the main requirements of the Law in respect of its primary data sources, and to identify where further compliance work is needed. This is intended as general guidance only - it is not exhaustive or intended to be a complete compliance programme, and is not a substitute for formal legal advice. Many of the provisions described below are subject to exceptions detailed in the Law and additional guidance contained in the Data Protection Regulations, 2018.
The first step to complying with the Law is to understand how information and data flows into and out of your organisation and how it is used. A data mapping exercise means conducting an examination of:
- where personal data comes from and the purposes for which it is collected;
- where the personal data you collect is transferred to;
- whether you are the data controller or a data processor in respect of personal data coming from any particular source;
- whether the personal data you collect is "adequate relevant and not excessive" for the purposes it is collected;
- to what extent steps are taken to keep personal data accurate;
- how personal data is stored and protected within your organisation; and
- how and when personal data is deleted.
We recommend starting with the main sources and types of personal data your organisation collects. Typically that might be personal data received via the internet and email and relating to employees, other businesses and clients.
A data map is an essential guide in understanding where changes might be required to comply with the Law and in preparing policies and procedures for ongoing compliance.
The source of any personal data, whether it be a form, email or a website, should provide a data protection notice containing the information required by the Law. At a minimum the privacy notice must include the identity of the data controller, the purposes for which the data is being collected, and information that will enable the data subject to contact the data controller.
We recommend that a privacy notice is used to obtain the consent of the data subject whenever possible. Consent has high compliance value under the Law. For example, all data processing must be conducted in accordance with at least one of the specific conditions set out in Schedule 2 of the Law and, in the case of sensitive personal data, also in accordance with one of the conditions set out in Schedule 3 of the Law. In both cases the conditions are satisfied if the data subject has consented. International transfers of personal data are also permitted with consent, even if the recipient is not subject to contractual or statutory safeguards.
It is important to note that consent, for the purposes of the Law must be a "freely given, specific, informed and unambiguous indication of the Data Subject's wishes….by a statement or by a clear affirmative action"... Pre-checked boxes or "opt-out" consent forms are not sufficient. The burden of proving consent is on the data controller and may be void if there is a "significant imbalance between the position of the data subject and the data controller (for example, a bank requiring consent in order to process a loan application). Consent may be withdrawn at any time.
In the case of websites consent is generally obtained by requiring the user to check a box at or before the point of collection. In the case of email it generally requires a disclosure in the body of the email itself describing the purposes for which the information will be used and a clear statement that sending an email to your organisation is an indication of consent to the collection and use of personal data for the specified purposes.
If you are transferring personal data to a third party data processor (for example a fund administrator, insurance manager or corporate services provider) it is a requirement of the Law that the processing is carried out pursuant to a written contract specifying that the data processor is to act only on instructions from the data controller, and requiring the data processor to apply appropriate safeguard to the personal data. It is also important to ensure that the contract contains appropriate contractual remedies and indemnities to protect you in the event of a personal data breach.
Additionally, if personal data is going to be transferred internationally to a jurisdiction that is not considered adequate (being any EEA jurisdiction and any jurisdiction in respect of which an adequacy decision has been made by the European Commission – listed here) then, unless consent has been obtained or the transfer is within one of the other limited exceptions set out in Schedule 4 of the Law, the transfer must be made subject to suitable contractual provisions or a stand-alone data transfer agreement.
Data Subject Requests
A data subject is entitled to ask whether their personal data is being processed by your organisation and, if so, for a description of:
- the personal data;
- the purposes for which it is being processed;
- who the data may be disclosed to;
- any countries that the personal data may be transferred to; and
- the general security measures in place to protect the personal data.
A data subject is also entitled to receive (in intelligible form) a copy of the personal data and the source of it (to the extent available).
A data subject may also request certain information in respect of automated processing of personal data, including the right to request that no decision taken by or on behalf of the Data Controller that significantly affects the data subject is based solely on automatic processing.
Requests must be responded to within 30 days.
A data subject is entitled, by notice in writing, to require the data controller to cease processing his or her Personal Data within 21 days.
Given the limited time frame to respond it is important to have a plan, a nominated person and, ideally, a written procedure in place to deal with requests.
The fifth principle of the Law is that personal data shall not be kept for longer than is necessary for the purpose it was collected. We recommend that you have a written retention policy and, importantly, that records are actually erased or destroyed once the term is reached. Documents that may be required in connection with future legal claims should be retained for the applicable limitation period (generally in Cayman this is 6 years).
Appropriate technical and organisational measures must be taken to protect against unauthorised or unlawful processing, use, disclosure or deletion of personal data. Technical security will include measures such as restricted physical access, encryption, and passcodes for access to mobile phones and computer networks. Organisational security includes restricting access to employees that have a valid need to access the personal data.
The Ombudsman's guidance states that you can consider the technology that is available and the costs of implementation when deciding which measures to take, provided that the measures are appropriate to the circumstances and the risks.
A personal data breach is defined in the Law as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". All personal data breaches must be notified to the Ombudsman and to the individual or individuals whose personal data is involved within 5 working days. If you use a data processor then the steps that the data processor must take if it causes a breach should be detailed in the contract in place, and responsibility for the reporting still rests with the data controller.
Notification of a breach should include:
- the nature of the personal data breach;
- the consequences of the breach;
- the measures proposed or taken by yourself to address the breach; and
- the measures you recommend the individual(s) to take to mitigate the possible adverse effects of the breach.
Bedell Cristin is experienced in advising large and small organisations with each stage of a data protection compliance projects. Our attorneys have assisted numerous multi-jurisdictional businesses with data mapping, privacy notices, policies and procedures, post-breach action, processor and transfer contracts and client agreements. Please contact us if you would like assistance in complying with the Law or international data protection standards.
Frequently asked questions
Under what circumstances may Personal Data processed?
The first principle of the Law states that personal data may only be processed if:
- the data subject has consented;
- the processing is necessary for the performance of a contract to which the data subject is a party or taking steps at the request of the data subject with a view to entering into a contract;
- it is necessary to comply with a (non-contractual) legal obligation;
- it is necessary to protect the vital interests of the data subject;
- it is necessary for the administration of justice, the exercise of any statutory functions, the functions of government, or any other functions of a public nature carried out in the public interest;
- it is necessary in connection with the legitimate interests of the data controller or any third party, unless it would prejudice the rights and freedoms or legitimate interests of the data subject.
What is sensitive personal data and what additional rules apply to it?
Sensitive personal data means personal data consisting of:
- the racial or ethnic origin of the data subject;
- the political opinions of the data subject;
- the data subject's religious beliefs or other beliefs of a similar nature;
- whether the data subject is a member of a trade union;
- genetic data of the data subject;
- the data subject's physical or mental health or condition;
- medical data;
- the data subject's sex life;
- the data subject's commission, or alleged commission, of an offence; or
- any proceedings for any offence committed, or alleged to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.
In addition to the conditions that must be satisfied in order to process personal data, sensitive personal data may only be processed if:
- the data subject has consented;
- there is a legal necessity arising from the data subject's employment by the data controller (for example, the provision of health insurance);
- the processing is necessary to protect the vital interests of the data subject (or another person, where consent from the data subject has been unreasonably withheld);
- the processing is carried out in the course of legitimate activities of a non-profit that exists for political, philosophical, religious or trade-union purposes (provided certain other requirements are met);
- the personal data has been made public by the data subject;
- the processing is necessary in connection with legal proceedings or legal rights, the administration of justice, the exercise of statutory functions or the exercise of any functions of government;
- the processing is necessary for medical purposes (subject to certain additional requirements);
- the circumstances are prescribed by regulation; or
- other circumstances that may be determined by Cabinet.
Given the limited time frame to report a personal data breach it is important to have a plan in place before the event, including a nominated person and, ideally, a written procedure to deal with breaches and notification.
Can we charge a fee for access requests?
No, not unless the request is unfounded or excessive. Examples of unfounded or excessive requests (as specified in the Data Protection Regulations 2018) are requests that are repetitive, fraudulent or that would unreasonably divert the resources of the data controller. The data controller has the burden of proving that the request is unfounded or excessive and any such determination should be documented.
Which countries can we send personal data to without additional compliance obligations?
The current list includes any member state of the European Union, Norway, Liechtenstein, Iceland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, New Zealand, Switzerland, and Uruguay.
Can we send personal data to the United States without the consent of the data subject?
The US is not considered an "equivalent jurisdiction" and the privacy shield framework between the EU, US and Switzerland does not apply to data transfers from the Cayman Islands. However the Ombudsman has said that self-certification under the privacy shield by US entities "may be taken into consideration as a positive factor" when making general authorisations about permitted transfers. Until such time as a general authorisation is made, transfers to entities in the United States must be made with the consent of the data subject or pursuant to appropriate contractual safeguards.
What if we need to disclose personal data in an emergency?
Disclosure of personal data is permitted without consent if is it necessary to protect the vital interests of the data subject.
Is the Cayman Data Protection Law the same as the GDPR?
The two are very similar but not identical. However, if your organisation is currently compliant with GDPR it will also be compliant with the Law.
If you would like any further information, please get in touch with your usual Bedell Cristin contact or one of the contacts listed.