At a business briefing on 14 November 2018, representatives of the Cayman Islands Government (‘CIG’) stated that the Cayman Islands (‘Cayman’) Data Protection Law 2018 would not come in to force in January 2019, as previously advised, but would be delayed until September 2019. This is confirmed on the Cayman Ombudsman website.
What is the Data Protection regime?
The regime will protect the storage and use of personal data by those that hold it. When it comes into force, the Cayman Data Protection Law 2017 (‘the Law’) will affect any individual or organisation established in Cayman which processes personal data, even where the processing is conducted outside Cayman. The Law was passed and published in the Cayman Gazette in 2017, but it is not yet in force.
When was it due to start?
In August 2017 the Cayman Information Commissioner’s Office (‘ICO’) indicated the Law would come into force in January 2019. The ICO's website now confirms the statement by the CIG representatives that it will not now be in force until September 2019.
What is personal data and who processes it?
The Law proposes restrictions on the ‘Processing’ of any ‘Personal Data’ relating to any ‘Data Subject’ by or on behalf of a ‘Data Controller’, who must comply with eight Data Protection Principles. Cayman’s Information Commissioner will monitor their compliance with the Law and will hear, investigate and rule on any complaints.
Where can I find more information?
For more information, including on the exemptions for trusts, public services and corporate finance services and steps you should take to prepare for the new regime, see our earlier article Data Protection is coming to Cayman in January 2019. The Cayman Ombudsman also has more information on its website:
Is this related to the GDPR?
Although the European Union (‘EU’) General Data Protection Regulation (‘GDPR’) can apply to individuals, private or public entities, outside of Europe, including Cayman entities interacting with EU residents, it is not a Cayman regime. One view expressed by those working in the Data Protection advisory space at the briefing was that any organisation or individual which was already GDPR compliant would be compliant with the Law.
No Content Set