The Cayman Islands Data Protection Law, 2017 (“DPL”), which was published in June 2017, will go into force on September 30, 2019. The DPL includes requirements for the protection of personal data and is centered upon eight data protection principles. According to the newly minted Cayman Islands data protection authority, the DPL aligns the Cayman Islands with other major jurisdictions around the world. It includes many concepts that exist in other comprehensive data protection laws, such as the EU General Data Protection Regulation. For example, the DPL includes personal data processing limitations, individual data subject rights, data breach notification obligations and cross-border transfer restrictions.
The DPL applies to a “data controller” who (1) is established in the Cayman Islands if the personal data is processed in the context of that establishment, or (2) is not established in the Cayman Islands, but who processes personal data in the Cayman Islands (unless the processing is limited to the data’s transit through the Cayman Islands). “Data controller” is defined as the person who, alone or jointly with others, determines the purposes, conditions and manner in which personal data is processed. Data controllers who are not established in the Cayman Islands must nominate a representative who is established in the Cayman Islands. The representative will bear the obligations under the DPL as if they were the data controller.
The DPL will be enforced by the Office of the Ombudsman. The Office of the Ombudsman has issued non-binding guidance that aims to explain how the Ombudsman will likely interpret certain provisions of the DPL. Failure to comply with an order issued by the Ombudsman is punishable by a fine of CI$100,000 or imprisonment for five years, or both. Monetary penalties of up to CI$250,000 may also be issued.