Guide to Data Protection Law 2017 for Data Controllers

Introduction

Note: This guidance is based on the United Kingdom’s Information Commissioner’s Office’s Guide to the General Data Protection Regulation (GDPR), available here.

The Data Protection Law, 2017 (the “DPL”) is a powerful piece of legislation. It introduces globally recognized principles about the use of personal data to the Cayman Islands. The DPL aligns the Cayman Islands with other major jurisdictions around the world, notably the European Union, and thereby facilitates the free flow of data – a pre-requisite for the Cayman Islands being an equal and competitive participant in today’s globalized economy.

Moreover, the DPL provides a standard framework for both public and private entities in the management of the personal data they use. Internationally active organizations will find many similarities between the data protection law of the Cayman Islands and of other jurisdictions where they are active. The DPL aims to reduce the administrative burden of operating internationally and cement the Cayman Islands as an attractive jurisdiction in line with international developments.

The DPL also serves as a guide to provide assurance to individuals whose personal data is being processed. Indeed, where individuals feel that they are empowered to manage and control their personal data, they are more likely to share personal data with the organization, to the benefit of both parties.

The Office of the Ombudsman is the Cayman Islands’ supervisory authority for data protection. As part of this role, the Ombudsman

  • hears, investigates, and rules on complaints;
  • monitors, investigates, and reports on compliance by data controllers;
  • intervenes and delivers opinions and orders related to processing operations;
  • gives orders on rectification, blocking, erasure, or destruction of data;
  • imposes temporary and permanent bans on processing;
  • makes recommendations for reform both generally and targeted at specific data controllers;
  • engages in proceedings where there are violations, and refer violations to the appropriate authorities;
  • co-operates with other supervisory authorities;
  • publicizes and promotes the requirements of the law and the rights of data subjects; and
  • anything else that is conducive or incidental to the Office’s functions.

The Office of the Ombudsman’s approach to data protection is a practical one. We recognize and respect the fundamental right to privacy. At the same time, we understand that fair and lawful processing of personal data is essential to the modern service economy.

The DPL is modelled on European data protection legislation.  Supervisory authorities and court decisions in the European Union will be an important resource for organizations and the Office of the Ombudsman in interpreting and applying the DPL. However, there are a number of differences between the EU legislation and the DPL which must be taken into account when interpreting the legislation. 

The guidance in this document is issued pursuant to sections 34(1) and 41 DPL. It aims to explain how the Office of the Ombudsman will likely interpret certain provisions of the DPL, and is not binding. 

Acknowledgment

We would like to thank all those who have contributed to this guidance, including Peter Colegate and Peter A. Broadhurst.

Previous Next