• Cayman’s Data Protection Law:
    What are the key priorities?

Cayman’s Data Protection Law:
What are the key priorities?

25 April 2019

In just over four months, Cayman’s Protection Law (DPL) will come into force. If you are only just turning your mind to it complying with the new legislation will probably seem a daunting task, but there is still time to get ready for 30 September 2019 and the good news is, help is at hand.  

What are the key priorities?

To give you a head start we have set out below six key actions to prioritise now:

  1. Update your data protection policy and procedures to reflect the necessary changes to ensure compliance with DPL. Make sure you send an updated data privacy notice to members.
  2. Perform a data mapping exercise to identify the personal data that you collect, how it is processed, how it is obtained and the service providers (i.e., third parties) it is shared with. This information will help you assess which data processing activities must comply with the DPL.
  3. Review the basis under which personal data is collected and processed. Businesses may only collect and process personal data on the basis of one or more prescribed 'processing grounds' (i.e. a: Fair and Lawfulness Use, b: Purpose Limitation, c: Data Minimization, d: Data Accuracy, e: Storage Limitation, f: Respect for the Individual's rights, g: Security - Integrity and Confidentiality and h: International Transfers). Changes may need to be made for this to continue under the DLP
  4. Put in place processes to ensure you can respond to data breaches and notify the Information Commissioner without undue delay, but no longer than five days
  5. Data subjects will have new rights under the DPL, such as the right to know the purpose for which their data is being processed, the recipients (or third parties) their data is being disclosed to, the countries or territories outside of the island their data transferred to (or intend to transfer), to be provided with access to their personal data and the right for the data to be rectified, blocked, erased or destroyed were inaccurate.
  6. Identify any transfers of personal data outside the island (countries or territories) and make sure that there is full compliance with the strict requirements under DPL as to how these can be done.  Data transfer agreements should be in place.
  7. Data retention periods are not defined in the DPL, however, each business should determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes of holding it have been fulfilled.
  8. Failure to comply with the new DPL could result in fines of up to Cl$100,000 or imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 are also possible under the law.

Help is at hand

DLP will change the way you and your customers work together to ensure that data is secure and the rights of privacy of the data subject are respected.  At BDO our experienced Data Privacy team will help support and prepare you for the 30th September 2019 deadline. To get help with any final preparations or any queries you have, please email rcarty@bdo.ky