Cayman Islands Data Protection Laws & National Risk Assessment Update

menuSearch Input

Contact us

Government building columns, architecture
Government building columns, architecture


Cayman Islands data protection laws and national risk assessment update

By Eric Gronroos, Baker Tilly

The Cayman Islands Data Protection Law, 2017 (DPL) has now been in effect for over two and a half years. The law, which went into effect Sept. 30, 2019, is under the authority of the Cayman Islands Monetary Authority’s (CIMA) Office of the Ombudsman. Subsequently, the ombudsman issued the Data Protection Act (2021 Revision) Guide for Data Controllers (DPA), which came into effect April 30, 2021. The update in CIMA’s DPA expanded requirements for entities that conduct business in the Cayman Islands, including many funds and partnerships that originally did not require annual financial report filings or were not previously under the scrutiny of previous DPL requirements.

While somewhat vague, the updated DPA strengthens the minimum standards and security measures required to be maintained relating to personal data held by businesses. To effectively manage data in compliance with the CPL, data mapping should be utilized to identify the personal data being used to conduct business, who has access to that data, and who controls and processes the data. The main responsibility lies with the data controller, who maintains personal data and ensures that it is processed per the requirements. A “data controller” is defined in the DPA as, “the person who, alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be, processed and includes a local representative.”

Data controllers must comply with eight data protection principles described in the DPA:

  1. Fair and lawful processing of personal data;
  2. Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is collected or processed;
  4. Personal data shall be accurate and, where relevant, kept up to date;
  5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose;
  6. Personal data shall be processed in accordance with the rights of data subjects;
  7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and
  8. Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.