Data Protection for Organizations
The DPA provides a legal framework for the use of personal information. Learn more about how the law applies to your organization, business, or public authority.
Data Protection Act
The DPA applies to the processing of personal data by both public and private organizations.
Our guidance for organizations will help you understand the provisions of the Act, how to respond to data subjects exercising their rights, and how to process personal data in a compliant manner.
Be sure to also check out our list of Frequently Asked Questions at the bottom of this page.
Did you know?
The DPA increases individuals' trust in your organization's use of personal information and supports the Cayman Islands as a jurisdiction of choice.
Did you know?
You need a Data Processing Agreement when engaging a Data Processor.
Organization Responsibilities
The DPA places a number of obligations on organizations processing personal data.
The obligations on organizations are based on common sense. The DPA establishes a framework within which to process your personal data, laying down principles on fairness, transparency, storage retention, and security and confidentiality.
Data Protection Principles
The Data Protection Act, 2017 is centered around eight data protection principles that set out a framework within which personal data is processed. These eight principles are a good starting point to assess the processing that is being done is being undertaken.
Fair and lawful use
Personal data must be processed in a fair and lawful manner.
Fair processing means that a data subject should be informed by the the data controller who they are and what purpose they will be using the personal data for. This information should generally be provided at the moment it is being collected.
Lawful processing means that there must be a legal ground that permits the data controller to process the personal data, for example consent or because there is a contract with the data subject and processing the personal data is necessary to perform that contract.
Purpose limitation
Personal data may only be processed for the purpose it was collected for.
Purpose limitation means that a data controller may not collect personal data for one purpose and use it for another, incompatible purpose.
Data minimization
Personal data should only be collected if it is necessary for the purpose
Data minimization means that a data controller should only collect personal data that is necessary for the purpose and not more.
Data accuracy
Personal data must always be accurate.
Data accuracy means that the personal data must be correct.
Storage limitation
Personal data may not be kept for longer than necessary
Storage limitation means that once personal data is no longer needed, it should be destroyed.
Respect for the individual's rights
Personal data shall only be processed in accordance with the rights of the individual in mind
Individual rights means that any processing done must take the rights of individuals into account. It is a reminder towards data controllers that they have obligations towards the data subjects whose personal data they process.
Security – integrity & confidentiality
Personal data must always be kept safe
Integrity and confidentiality means that personal data must be kept secure using both technical and organizational means and that only individuals and entities who need to use it actually have access to it. Keeping it secure means not just from malicious attacks, but also from inadvertent harm.
International transfers
Personal data may not be transferred outside the Cayman Islands unless it is adequately protected
The principle on international transfers means that personal data may not leave the Cayman Islands unless the destination offers a level of protection that is on a broad level the same as here or where there are adequate safeguards in place to protect the information.
Guidance
Our guidance helps organizations understand the provisions of the DPA and how to apply the law to their daily work.
Frequently asked questions
If you have a question, the answer may already be here for you.
Where can I find in depth guidance on the DPL?
The Office of the Ombudsman has prepared detailed guidance for organizations and guidance for data subjects.
Where can I find all data protection resources released by the Ombudsman?
You can find all resources on our resource page.
Who is responsible for compliance with the DPL?
The organization (controller) itself is responsible. Where the organization is a legal person, such as a company, the internal structure of the organization, as reflected in the company’s constitutional documents, will decide who is responsible for ensuring the organization’s compliance. For example, this may be the board of directors, although the board may delegate specific functions.
Am I personally liable under the DPL?
Section 58 DPL recognizes personal liability for offences under the DPL committed by a body corporate. The personal liability is assigned to “any director, secretary or similar officer of the body corporate” or “any person who was purporting to act in any such capacity” where it is proved that the offence was committed with those individuals’ consent or connivance or attributable to their neglect.
What is the Ombudsman's approach to enforcement of the DPL?
Our primary goal is to help organizations become compliant and to support individuals in the exercise of their data protection rights.
The Ombudsman has substantial enforcement powers under the DPL. These assume different forms: information orders, enforcement orders, inspection and seizure powers, and monetary penalty orders.
The Ombudsman takes all relevant circumstances into account when deciding on the appropriateness and severity of enforcement measures, such as:
- The economic strength of the data controller. This will involve a holistic assessment of the economic unit (eg a relevant group of companies) the data controller belongs to.
- The nature, gravity, and duration of the infringement, considering the specifics of the processing activity, the number of data subjects affected, and the level of damage or distress suffered by them.
- The categories of data subjects and the types of personal data involved.
- Whether the contravention was intentional or negligent in character, as well as the nature of technical and organizational measures taken pursuant to the seventh data protection principle.
- Any evidence of due diligence towards compliance with the DPL.
- Any measures taken to mitigate the damage or distress suffered by the data subjects as a result of the data protection violation.
- The manner in which the contravention became known to the Ombudsman, such as whether through a complaint, the media, or directly from the data controller.
- The level of cooperation with the Ombudsman concerning the investigation and resolution of the contravention.
- The data controller’s history of data protection compliance.
- Any other aggravating or mitigating factors, such as financial benefits gained, or losses avoided, directly or indirectly, from the contravention.
I am a one-person business. Does the DPL apply to me?
Yes. The DPL applies to organizations of all sizes, as long as they process personal data.
Note that compliance may be relatively easy if you do not engage in complex processing of sensitive types of personal data. The Office of the Ombudsman is preparing specific guidance for non-complex processing.
Read about the applicability of the DPL.
Does the DPA apply to personal information that was collected prior to the commencement of the DPA?
Yes. The processing of any personal data will be subject to the DPA, regardless of when the personal data was collected, as long as it is still being held.
Do I need to actively reach out and inform my customers of my identity as the data controller and the purposes of the processing, for example by email or postal letter?
The level of outreach depends on how the personal information was initially collected and what it is used for. Where the individual was likely aware of your identity and the current processing purposes, you will generally not need to actively reach out to the individual. Passive outreach, eg through a privacy notice on your website, should be sufficient. However, where the individual was likely unaware of your identity and/or the current processing purposes, you should actively reach out to the individual to comply with your information obligations.
Read about your information obligations.
I am storing unstructured physical (paper) documents in a warehouse. Is this personal data subject to subject access requests and the storage limitation principle?
Yes. However, section 9(1)(a) DPL excludes such personal data from subject access requests that would demand disproportionate effort. Whether a search represents disproportionate effort depends on a number of factors including the nature of the personal data, what it is required for and what circumstances led to the increased effort required to comply with the subject access request.
Read about subject access requests and the storage limitation principle.
Do I need a Data Protection Officer (DPO)?
No. The DPL does not require an organization to appoint a DPO, though this may be recommended for certain larger or complex organizations.
Does an overseas processor need to comply with the DPA?
Yes, indirectly. The controller remains responsible for any processing activities carried out by its processors under its instructions, as manifested in the data processing agreement with the processor. As such, the processing of the processors must be compliant with the DPA.
Read about data processing agreements.
Can I rely on Privacy Shield to transfer personal data outside the Cayman Islands?
No. The EU-US Privacy Shield is a bilateral framework between the EU and the US. It provides rights only to individuals in the EU. It does not provide rights to individuals in the Cayman Islands. However, other conditions for transferring personal data to the US may apply.
Read about international transfers of personal data.
My organization has suffered a personal data breach. What do we do now?
The DPL requires that all personal data breaches are reported to both the Ombudsman and the affected individuals within 5 days. However, notification may not be necessary if the breach is unlikely to prejudice the rights and freedoms of the data subjects. To notify the Office of the Ombudsman of a personal data breach, please see the contact page on our website: http://ombudsman.ky/get-in-touch. Please use our breach notification form (forthcoming) to submit the details of the breach. You may also contact us if you are unsure whether a breach is reportable.
Read about personal data breaches.