Data protection is coming to Cayman in January 2019
02 August 2017
Note: Now September 2019
On 2 August 2017 the Cayman Islands (‘Cayman’) Information Commissioner’s Office (‘ICO’) indicated that the Cayman Government’s Data Protection Law 2017 (‘the Law’) is expected to come into effect in January 2019 (see here).
IMPORTANT UPDATE - In November 2018 this was formally put back until September 2019 - see Cayman Data Protection regime will now start in September 2019.
Once that happens the Law will affect any individual or organisation established in Cayman which processes personal data, even where that data is being processed outside Cayman. Although the Law was passed on 17 March and was published in the Cayman Gazette on 5 June 2017 it is not yet in force, allowing those affected time to prepare. Here we look at some of the Law’s provisions (including the corporate finance exemption) and suggest some steps you should consider taking if the Law is likely to affect you or your organisation.
Legislation: The Data Protection Law 2017
What is personal data and who processes it?
The Law proposes restrictions on the ‘Processing’ of any ‘Personal Data’ relating to any ‘Data Subject’ by or on behalf of a ‘Data Controller’. In this context:
- You are Processing Personal Data if you obtain, record, hold or carry out any operation(s) on Personal Data, such as retrieving, consulting or using it, organising, adapting, altering, combining, erasing or destroying it, or disclosing it by sending it or making it available to a third party.
- Personal Data is any data relating to a living individual who can be identified, and includes but is not limited to their address, any online identifier, their appearance, psychological, genetic, mental, cultural or social identity, or the Data Controller’s (or any other person’s) opinions of or planned action towards them.
- a Data Subject is any living individual who is either identified or who might be identified directly or indirectly.
- a Data Controller is a Cayman established individual or responsible for determining the manner in which Personal Data will be processed for their Cayman operations, or, where such data is processed outside Cayman, a Cayman based representative.
What are the rules?
Underlying the rules are eight ‘Data Protection Principles’ with which the Data Controller must comply. To summarise the effect of these:
- Personal Data must be’ processed fairly’ (which is determined by whether the data was obtained through deception or the Data Subject was misled as to the purposes for which the data was obtained). (If it is obtained as a result of an enactment or convention or other international instrument which imposes an international obligation on Cayman, then it is treated as having been obtained fairly.)
- ‘Processed Fairly’ includes that as soon as reasonably practicable, the Data Subject is given (at least) the identity of the Data Controller and why the data is being processed.
- To be processed it must meet at least one of the Conditions. There are two types of Conditions: six paragraphs which govern all Personal Data (such as consent, that the processing is necessary for a contract or to protect a vital interest of the Data Subject) and an additional ten which must be met to process Sensitive Personal Data (such as the Data Subject’s racial or ethnic origin, religion, health, sex life, offences or Court sentences.)
- Personal Data must be accurate, relevant, up to date and no more than is necessary to complete the specified lawful purpose for which it was obtained, and not be used for any other purpose.
- Personal Data must not be kept longer than necessary and appropriate measures must be taken to ensure it is not lost or misused or sent to a jurisdiction which does not have appropriate data protection.
- Processing can only be contracted out under a written contract which provides that the processor can only act on the Data Controller’s instructions and which imposes a requirement that the processor takes appropriate technical and organizational measures. If a breach occurs then the Data Controller must notify the Data Subject and the Cayman Information Commissioner (‘IC’).
- Data Subjects will have the right to be told within 30 days if Personal Data is being processed, what data is held, why it is being processed, who it will be disclosed to/shared with, and in what countries.
Are there any exemptions?
There are also Exemptions to the rules, for example for law enforcement, collection of Cayman fees and duties, certain types of research, legal proceedings and legal professional privilege. There are also exemptions for:
In particular Personal Data is exempt from the ‘subject information provisions’ (which relate to when Personal Data may be processed and if it has been Processed Fairly) if it is information in relation to either an ordinary trust or a trust established pursuant to the Trusts Law (2011 Revision) or the Wills Law (2004 Revision).
Public service and regulation
Processing Personal Data is exempt where to comply with the subject information provisions would be likely to prejudice the proper discharge of a public function (such as any monitoring, inspection or regulatory function for public safety, criminal offences, breaches of professional ethics in regulated profession, regulation of the financial services industry or for compliance with international tax treaties/ co-operation).
Corporate finance service
This exemption applies where processing Personal Data is for the purposes of or in connection with Corporate Finance Services (‘CFS’) provided by a ‘relevant person’ (‘RP’). It applies to data to the extent to which they could (or the Data Controller reasonably believes they could) affect the price of an existing instrument or one which may be created. The CFS exemption also applies if it is required for the purposes of safeguarding an important economic or financial interest of Cayman. For this exemption:
- CFS is defined as underwriting (or services related to underwriting) in respect of issues of, or the placing of issues of, any instrument, or advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings.
- An RP is someone who is either registered or authorised (or exempt from registration or any authorisation) under any law for investment business, or who provides CFS in the course of their employment or a partner who provides certain CFS, or who regulations included in the list of RPs.
Who will be monitoring compliance?
Data Controllers will not need to be licensed, but Cayman’s Information Commissioner (‘IC’) will monitor their compliance with the Law and will hear, investigate and rule on any complaints.
What should I do to prepare?
The first step is to conduct a review of how your organization obtains, processes, stores, uses and discloses any Personal Data. Issues to consider are:
- Do you have explicit, freely given, informed and specific consent which by a statement or clear act signifies that Data Subjects agree to the method and type and/or duration of processing, and for all uses to which your organization puts, the Data Subject’s Personal Data?
- How was the Personal Data obtained, is it accurate and up to date?
- Who in your organization is processing the information, why and how? Are you holding more, and/or for longer, than you need? Is any Personal Data stored or used by Directors, Partners or members of staff on their personal smartphones, tablets, laptops, or home computers?
- What are your security measures, and are the technology and systems used to protect Personal Data sufficient and up to date? How do you transfer information within your group?
- Do you have processes in place to report breaches to the IC and the Data Subject within the proposed timeframe. Will a breach in Cayman have reporting implications for other parts of your group?
- Does everyone in the organization know the new rules? Training should be offered to ensure that all Directors, Partners and employees are aware of the new rules, and a compliance manual prepared detailing the new obligations and the procedures and processes to be followed, particularly with regard to any possible breach.