Cayman Islands Data Protection Law Nears Taking Effect

Cybersecurity regulations have landed ashore on the islands, and life is about to become anything but a beach for firms forced to comply with the Cayman Islands’ new Data Protection Law (DPL), slated to take effect September 30, 2019. With provisions largely mirroring the EU’s General Data Protection Regulation (GDPR), entities with a presence or operations in the Cayman Islands who may have found themselves not subject to the GDPR may end up needing to comply with similar requirements anyway. And that is mostly the point of such legislation, which was informed by the GDPR and intentionally based upon a similar model to provide for a standardized way for organizations to manage and protect data internationally.

The DPL is overseen by the Office of the Ombudsman, a supervisor authority in the Cayman Islands. The law applies to data controllers (entities who determine why and how data is processed) and data processors (those who do the processing) who are either established in the Cayman Islands, or who are established elsewhere but who process personal data in the Cayman Islands. Consequently, private funds organized under Cayman law or incorporated in the Cayman Islands are “established” in the Cayman Islands, even if they don’t have a physical presence there.

The Cayman DPL applies to “personal data,” meaning data relating to a living natural person or data from which the identity of such person is known or identifiable, and broadly extends to include location, IP addresses, and other identifiers. Even such information about an entity’s own employees is sufficient to bring the Cayman DPL in scope.

Similar to the GDPR, the Cayman DPL contains several overarching data protection principles, including:

  • Fair and Lawful Processing – Firms must have a legal basis for the data they collect, and provide transparency about what they are collecting (e.g. hidden tracking of website cookies without consent would not be permissible)
  • Purpose Limitation – Firms must disclose via a privacy notice why they need such data. Consent must be obtained for use for new purposes, although consent is not required to be obtained again if the new purposes are “compatible purposes” such as for historical research or statistical analysis.
  • Data Minimization – Firms must collect the minimum data necessary for that purpose
  • Data Accuracy – Firms must exercise reasonable measures to keep personal data current and to correct or remove data upon discovering it to be incorrect
  • Storage Limitation – Firms must not keep data for longer than necessary (although required retention periods under other regulations can inform what a firm’s retention period should be) and firms must respond to data subject access requests to delete their data from primary and backup storage locations.
  • Respect for the Individual’s Rights – Firms must be able to identify the data they have about an individual and all of the locations where it is stored, and be able to respond to requests from individuals about their data within 30 days (including requests to access, correct, delete, or restrict the processing or sharing of their data)
  • Security, Integrity, and Confidentiality – Firms must have “appropriate technical and organizational measures” in place to protect data, including anonymizing or encrypting data where it makes sense to do so, and should conduct testing and training for staff
  • International Transfers – Data transferred between the Cayman Islands and countries who are not deemed to have an adequate level of protection are prohibited. The EU GDPR is one such level of protection. Consent or contracts containing specific clauses are some of the other methods to accomplish the data transfer.

For more information and examples of the Cayman DPL as applied to different scenarios, please see the Office of the Ombudsman Guide for Data Controllers.

Firms with Cayman clients or investors should consider updating their policies and procedures to align with the Cayman DPL in advance of the September 30, 2019 effective date.


For assistance in updating your policies and procedures, please contact us to find out how our Shield cybersecurity services can help.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

SEC Proposes Amendments to Advertising Rules

In a proposal that would mark the first changes since 1961, the SEC has introduced amendments to modify the “Advertisements by Investment Advisers” Rule 206(4)-1 of the Investment Advisers Act. Changes to the rule would allow for testimonials and social media practices beyond that currently allowed, and performance marketing subject to new requirements. Some parts … Continued

Roadmap to Conducting Annual Compliance Reviews

The “annual” in annual review is a misnomer! That was one of the key takeaways from a session conducted at the recent 2019 NSCP National Conference that featured practical and timely tips to consider when planning and undertaking an annual review for an investment adviser or mutual fund. Panelists Tracy Abbott, CCO of Seavest Investment … Continued

Technology Advances Here and On the Way for Form CRS

CSS featured a strong presence at the recent 2019 BAM + Loring Ward Advisor National Conference in St. Louis, Mo. The conference, titled “In Our Element,” explored the chemistry of investment advisors’ relationships with their clients and the keys to successfully building those relationships. Within that context, CSS’s compliance presentation outlining the purpose and implementation … Continued