Written by: Richard Sheinis, Esq.

The Data Protection Law, 2017, (“DPL”) introduces globally-recognized principles surrounding the use of personal information to the Cayman Islands.  Similar to the GDPR and other data privacy legislation, individuals will have several data access rights.  These rights include the right to be informed, the right to access their data, the right to correct their data, the right to stop processing, the right to stop direct marketing, and the right to compensation for damage.

The DPL also continues the GDPR concept of data controllers and data processors.  The DPL applies to processing carried out by organizations established within the Cayman Islands, as well as to organizations established outside the Cayman Islands that process personal data within the Cayman Islands.  Personal data may be process only if there is a legal basis for doing so, such as consent, contract, legal obligation, vital interests or legitimate interests.  When processing sensitive personal data, the data controller must not only meet one of the conditions mentioned above, but must also meet an additional condition for processing, which are listed in Schedule 3 of the DPL.  Personal data may be transferred from the Cayman Islands to another country or territory only if an “adequate level of protection” can be insured.  If the other country does not provide an adequate level of protection, the transfer may still be approved if it is based on standard contractual clauses similar to those used under the GDPR.

While the Cayman Islands DPL is quite similar to the GDPR, an organization should not assume that because it is GDPR-compliant, it is also compliant with the DPL.  A review or audit of an organization whose current practices are in compliance the DPL is still necessary.