Resources

Cayman Islands Seek to Supplement Its Data Protection Law

April 11, 2018

In 2017, the Cayman Islands passed the Data Protection Law (“DPL”), which reads much like the upcoming European Union General Data Protection Regulation (“GDPR”) that goes into effect Mary 25, 2018. The DPL applies to entities falling within the definition of “data controller” who are established in the Islands or who process data in the Islands. The DPL divides data into two categories, personal data and sensitive data. Certain information is exempt from the application of the DPL, such as data processed in connection with a corporate finance service.[1] The DPL gives individuals the right to access their information, object to processing, and the right to request their information be corrected or erased.

The consequences for violating the DPL are not light. The Commissioner has the right to execute a search warrant and search an organization’s premises if it believes the organization is violating the DPL. The Commissioner can seek to impose liability on corporate directors, secretaries, or officers. A fine may not exceed $250,000 for a single offense.

Significantly, the DPL imposes breach notification requirements to the local Commissioner and impacted individuals within five days of becoming aware of the breach. Failure to follow these requirements may result in a fine of $100,000. The DPL notification requirement to individuals is stricter than under GDPR, which provides that notice only need to be given to individuals after a determination that the “breach is likely to result in a high risk to the rights and freedoms of natural persons…” GDPR Art. 34(1). However, GDPR’s time to notify regulators is only 72 hours. GDPR Art. 33(1). Organizations falling under the regulatory of both laws will need to ensure that their incident response plans reflect the shortest response time and that their compliance programs address the different requirements. The DPL requires the notice contain a description of: (1) nature of the breach; (2) consequence of the breach; (3) remediation measures taken; and (4) steps the individual may take to help mitigate harm caused by the breach.

Recently, additional draft regulations were proposed to supplement the DPL and are cited as the Data Protection Regulations, 2018. These new regulations add definitions related to a child and educational record and address fees for requests for information. The new regulations propose there be no fee to an individual when requesting access to their data unless the request is excessive, repetitive, or fraudulent. They also address extensions of time to respond to such requests and informing a data subject of the right to complain. The new regulations contain exemptions for information requests related to health information, educational information, and social work information.

The final provision of the proposed regulations, is perhaps the most interesting, as it proposes to only allow the transfer of information to international intelligence agencies if the transfer is permitted pursuant to local law or order of the Cayman Islands’ Grand Court. This will have international consequences as more organizations find themselves the subject of requests for information, either informally or via subpoena, from intelligence agencies outside of their home borders.

The consultation period for public comment on the draft regulations closes April 30, 2018. Once the consultation period closes, the comments will be considered prior to adopting a final version of the regulations.

We recommend that organizations which find themselves regulated by both the DPL and GDPR take the following steps:

  • Assess: Evaluate what data your organization has that is covered by DPL for Cayman Island data subjects in conjunction with an evaluation of what data you may handle that falls under GDPR, and evaluate any overlaps that need to be addressed for additional compliance requirements.
  • Prepare: Develop incident response plans to comply with the most restrictive international laws, such as the 72-hour timeframe under GDPR, also taking into account the five-day notification requirements to affected individuals under DPL.
  • Review: Expand your compliance analysis to consider the interplay of applicable international laws and how your compliance programs accounts for competing or conflicting regulatory requirements.

Dykema’s Global Privacy and Data Security Team routinely monitors global legislation and its impact on our clients international operations and global privacy and compliance programs. Our team is available to assist your organization in developing a holistic global privacy program that addresses multinational regulatory requirements. Please contact Cinthia Motley, Ashley Jackson, or your Dykema relationship attorney.


[1] DPL defines a corporate finance service as a service consisting of or related to the issuance or placement of any instrument representing an investment or advice related to capital structure, industrial strategy, and mergers or purchases of businesses. DPL Sec. 28.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2018 Dykema Gossett PLLC.