• BDO Knows Data Privacy

    Cayman’s Data Privacy Law and its relationship
    with the General Data Protection Regulation (GDPR)

Publications:

BDO Knows Data Privacy

01 May 2019

Background

Today, technology is allowing businesses and government agencies to make use of personal information on an unprecedented scale to pursue their activities. Data Privacy & Protection is incessantly challenged and influenced by new developments in technology and innovation including business practices. Accordingly, the level of data collection and sharing has increased substantially. Personal data privacy and protection, therefore, plays a central role in Cayman’s digital development.

To meet these challenges, Cayman NEW Data Protection Law was passed by the Legislative Assembly on the 24th March 2017, which is based on the European Union General Data Protection Regulation 2016/679 (commonly known as the GDPR), making the existing law coherent with technological advances and modern business practices,  thus addressing privacy concerns of all stakeholders (i.e. Data Subjects, Businesses and Governments) in a balanced manner.

The European Union legislate GDPR addresses the difficulties and deficiencies arising from the EU Directive 95/46/EC and to "harmonise" data privacy laws across Europe (member states) as well as to provide further protection and rights to individuals. While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their data and imposes many new obligations on organisations that collect, handle or analyze personal data. The GDPR also gives national regulators new powers to impose significant fines on organisations that breach the law. The GDPR also intends to address technological and social changes, which has transpired over the last 20 years by adopting a technology-neutral approach to regulation.

Similarly,  Cayman’s Data Protection Law reinforces the control and personal sovereignty of individuals over their data. Thereby, contributing to respecting human rights and fundamental freedoms, in particular, their right to privacy, in line with the GDPR. The contrast between the previous law and the current law (i.e., passed on the 24th March 2017) is that while the prior law sets out how companies, government, and other organisations use individual's personal information, the current law also focuses on how personal information should be used and managed. It is a ‘gamechanger’ and comprehensive reform of Cayman’s current data protection standards. Also, this law also gives the Commissioner new powers to impose significant fines on organisations that breach the law. Cayman’s Data Privacy Law comes into effect on the 30 September 2019.

A brief overview of the GDPR essentials:

The GDPR enacts a wide range of conditions on organisations that collect or process personal data, including a requirement to comply with six fundamental requirements:

  • Transparency, fairness, and lawfulness in the supervision and use of personal data. The business should be transparent with individuals (data subjects) about how they are using personal data. Further, Businesses also need a “lawful basis” to process data.
  • Processing of personal data should be restricted to specified, explicit, and legitimate purposes.
  • Restrictions should be in placed on the re-use or disclosure of personal data for purposes that are not “compatible” with the purpose for which the data was initially collected.
  • Data collection and storage of personal data should be minimised to that which is adequate and relevant for the intended purpose.
  • Personal data held should be accuracy and access should be easily accessible by authorised users if it needs to be rectified or erased.
  • Personal data should only be retained for as long as necessary to achieve the purposes for which the data was collected.
  • Personal data should be kept securely through technical and organisational means to ensure the confidentiality, integrity, and availability of the data. This includes protection against unauthorised or unlawful processing and accidental loss, destruction or damage.

 

A brief overview of the Cayman Data Protection Law essentials:

This regulation is one of the most wide-ranging legislation passed in the Cayman in recent years introducing more robust powers and enforcement penalties by the Commissioner including more substantial and ambitious laws regarding consent, data subject rights & responsibilities,  rectification, blocking, erasure and destruction, compensation for failure to comply and right to stop processing to name a few.

 The law seeks to provide a better understanding of the roles of Data Controllers and Data Processors with regards to the processing of Data Subject personal information and aims to improve good governance around how personal data is managed and protected. To this end Business are required to understand their obligations better, communicate policy and procedures, implement controls, and monitor personal data activities; as well as comply with the law, regulations (such as GDPR), contracts and other obligations.  Here are some key areas of focus (but not limited to):

Data Controller – commonly an employer (or legal person, a body incorporated or registered as a foreign company under the Cayman Law, a partnership or other unincorporated association formed under the Cayman law and office, branch or agency) that alone or jointly with others determines the purposes and means of the processing of personal information. They are required to comply with the data protection principles that relate to the personal data and to ensure that these principles are adhered to.

Data Processor - commonly a company (or legal person) that processes personal data on behalf of a Data Controller.

Data Processing - includes the collection, recording, organising, storage, updating or modification, retrieval, consultation, use, disclosure by transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure or destruction of personal information. Anything that is done to/with personal information is considered as processing under Cayman’s data protection law

Data Subject - is an individual (for example employee, expatriate, vendor/consultant, contractor, patient, visitor, agent, etc) who provides personal data to a Data Controller for processing. The Data Controller should inform the Data Subjects with regards to all entities (i.e. Data Controllers and/or Data Processors) processing their data.

Personal Data - is any information (i.e., an expression of opinion, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity) relating to an identified or identifiable (directly or indirectly) of a living individual

Sensitive Data – Information relating to the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, legal proceedings, criminal convictions or any sentence of a court of a data subject.

Data Protection - Personal data should be processed fairly, adequate, accurate, kept no longer than necessary, lawful obtained for a specified purpose and processed in a manner that is compatible with the original purpose. Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. Further, personal data should not be transferred to a country or territory unless that country or territory has an adequate level of protection for the rights and freedoms of data subjects about the processing of personal data.

Right of Notification - In the event of a personal data breach, the data controller should, without undue delay, but no longer than five days after the breach, with reasonable diligence notify the data subject of the data in question and the Commissioner of that personal data breach, describing the nature of the breach, consequences, measures proposed or taken by the data controller to address the breach and measures recommended by the data controller to the data subject of the personal data in question to mitigate the possible adverse effects of the breach.

Direct Marketing - A data subject is entitled at any time, to advise the data controller (in writing) to cease, or not to begin, processing his/her personal data for direct marketing

Automated Decision Making - A data subject is entitled at any time, by notice in writing to a data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller that significantly affects the data subject is based solely on the processing by automatic means of the data subject’s data for evaluating the data subject’s performance at work, creditworthiness, reliability, conduct or any other matters relating to the data subject.

Right to Cease Processing – A data subject is entitled at any time, to instruct the data controller (in writing for a specified purpose or in a specified manner) to cease processing his/her personal data.

Rectification, Blocking, Erasure, Destruction – Data Subjects are entitled to raise a formal complaint to the Commissioner about the processing of their data in the event a Data Controller is in breach of the Data Protection Law.  If the Commissioner is satisfied with the complaint that the personal data is inaccurate or being misused, the Commissioner may order the Data Controller to rectify, block, erase or destroy the data.

Compensation – Awarded to a Data Subject (any person) who suffered damages because of a contravention by a data controller of any requirement of the Data Protection Law.

Exemptions - Personal data processed are exempted from any of the provisions of data protection principles; such as crime, government fees, and duties except non-disclosure provisions or a document certificate signed by the Governor unless those provisions are likely to prejudice:

  • apprehension or prosecution of persons who are suspected of having committed an offense anywhere or
  • the assessment or collection of any fees or duty, or any imposition of a similar nature, in the Islands

 

Implications of Cayman’s New Data Privacy Law and the NEW regulation, GDPR

  • One of the critical benefits of aligning Cayman’s Data Protection Law with GDPR is to appeal to foreign investment through the facilitation of businesses working with European countries to both receive and transfer data. The revised law will enhance the ‘ease of doing business’ requirements and continue to build trust between Europe, UK, and Cayman. Moreover, a stronger and more comprehensible data protection framework, backed by effective enforcement will allow Cayman’s digital economy to grow as it aims to put individuals (data subjects) in control of their data, thus underpinning the legal and practical certainty for economic operators and public authorities.
  • Additionally, there are requirements for better data management for businesses and new rights granted to data subjects to gain access to the information companies hold about them. The Commissioner will have sufficient powers to ensure that the principles of the Law, as well as the rights of data subjects, are maintained by the interpretation and the spirit of the law.
  • Increased accountability of data controllers and data processors should support better governance over controlled business processes resulting in greater productivity and efficiency, and a higher level of security. Thus, promoting and strengthening customer trust, confidentiality, and loyalty.
  • Cayman’s new Data Protection Law will significantly improve the digital legal landscape to respond to the GDPR for adequacy, thereby attracting foreign investors.
  • This law and the GDPR requirements will mean much-improved changes to the way technology is designed and managed. Through technology, highly improved data security means risks of data breaches should be minimised and enhanced data subjects’ rights would give individuals required access and greater control over their personal information.

In conclusion, the new law rests on several pillars (principal components): coherent rules, coherent procedures, improved security, coordinated actions, data subject rights and involvement, greater visibility and monitoring, and stronger enforcement powers granted to the Commissioner.

How can we help

The success of a Data Privacy Program is critical to compliance and to delivering real business benefits, but too often these programs/projects result in failure, delays and high cost. This is where BDO could help. Our experience in reviewing, executing and delivering privacy solutions and projects, back by our vast experience as a technology solutions provider help to increase the likelihood of a successful outcome.

 

For futher information please contact:

Richard Carty

Director, Data Privacy & Protection

Email: rcarty@bdo.ky.com