The Cayman Islands Data Protection Law, 2017

Stuarts Walker Hersant Humphries | View firm profile

The following information
relates to the enactment of The Cayman Islands Data Protection Law, 2017
("DPL"), which came into
effect on 30 September 2019. 

The following information relates to the enactment of The Cayman Islands
Data Protection Law, 2017 ("DPL"),
which came into effect on 30 September 2019. The DPL will regulate the
processing of all personal data in the Cayman Islands.
The DPL gives individuals control over
their personal data and protects against its misuse in both public and private


The DPL applies to “data controllers”[1] who are required to
ensure that the “personal data”
[2] in respect of a “data
[3] which they process, or
otherwise is processed on their behalf by a “data processor”
[4], is processed in
accordance with the eight data principles prescribed under the DPL, as below:



  1.   Fair and Lawfulness Use: Personal data must be processed in both a fair
    manner and lawful manner.
    This means that the
    data controller must inform a data subject (i) who they are and (ii) the purpose
    for which the personal data will be used for. In addition, this means that
    there must be a legal ground that permits the data controller to process the
    personal data such as (i) the data subject has consented to the processing,
    (ii) the processing is necessary for the performance of a contract to which the
    data subject is a party or (iii) the processing is required under law.
  2.  Purpose Limitation: Personal data may only be processed for the purpose it
    was collected for. This means that a data controller is not permitted to
    collect personal data for one purpose and use it for another.
  3.   Data Minimization: Personal data should only be collected if it is
    necessary for the purpose. This means that the data controller must only
    collect data that it needs for the purpose.
  4. Data Accuracy: Personal data must always be accurate. This means that
    personal data must be accurate and kept up to date, as appropriate.
  5.    Storage Limitation: Personal data may not be kept for longer than
    necessary. This means that once the personal data is no longer needed it should
    be destroyed.
  6.    Respect for the Individual’s Rights: Personal data shall only be processed
    in accordance with the rights of the individual in mind. This means that
    personal data must be processed in accordance with the rights of data subjects
    prescribed under the DPL.
  7.    Security – Integrity and Confidentiality: Personal data must always be kept
    safe. This means that personal data must be kept safe using technical and
    organizational measures to protect against, unlawful or unauthorised processing
    and inadvertent harm or malicious attacks to, such personal data.
  8.  International Transfers: Personal data may not be transferred outside the
    Cayman Islands unless it is adequately protected. This means that the data must
    not leave the Cayman Islands and be transferred to another jurisdiction unless
    such jurisdiction has equivalent levels of protection or adequate safeguards to
    protect the personal data, subject to certain exceptions.



When it comes into force, the DPL will affect any individual or
organisation established in the Cayman Islands which processes personal data,
even where the processing is conducted outside of the Cayman Islands. In most
cases the DPL will only apply to a data controller if it is established in the
Cayman Islands (including any branches or agencies) and it processes personal
data in connection with such establishment. There are certain instances where a
foreign entity processes personal data in the Cayman Islands for any purpose
“other than for purposes of transit through the Cayman Islands” (for example,
where Cayman Islands residents are actively solicited by an overseas provider
of services and products). Such foreign entities will be required to nominate a
local representative in the Cayman Islands. Although based on the same
underlying principles, clients should be mindful that the DPL is not a direct
transcription of broad data protection laws such as the European Union’s
General Data Protection Regulation ("GDPR").
Whilst it is likely that any organisation or individual which was, for example,
already GDPR compliant would be compliant with the DPL you should still
undertake a detailed analysis of your systems in order to ensure compliance.


The DPL will give individuals the right to access personal data held about
them and to request that any inaccurate data is corrected or deleted. You will
need to have policies and procedures in place by 30 September 2019 to manage
these requests. The DPL will also oblige businesses to cease processing
personal data once the purposes for which that data has been collected have
been exhausted.


The DPL does not set out fixed data retention periods. If you are a data
controller then you will need to decide what a suitable retention period is,
depending on the nature of the data subject and the context of the retention.
Once a retention period is decided upon it will be necessary to determine the
manner of deletion at the end of that period to ensure that it satisfies the requirements
of the DPL.


The DPL applies directly to data controllers and not data processors.
However, where a data processor is used, the data controller must ensure that a
written contract is in place between them which requires the data processor to
act only on the instructions given by the data controller and requires the data
processor to comply with obligations equivalent to the Security – Integrity and
Confidentiality principle noted above.


The Office of the Ombudsman is to be the Cayman Islands’ supervisory
authority for data protection. The Ombudsman will gain its powers when the DPL
comes into force on 30 September 2019. The Ombudsman has published extensive
guidance ahead of time in order to assist organisations to ensure compliance.
As the DPL is modelled on GDPR, supervisory authorities and court decisions in
the European Union will be an important resource for organisations and the
Ombudsman in interpreting and applying the DPL.

One it is in force breaches of the DPL could result in fines of up to
Cl$100,000 (US$125,000) per breach, imprisonment for a term of up to 5 years,
or both. Other monetary penalties of up to Cl$250,000 (US$312,500) are also
possible under the law.


If you believe the DPL
applies to you or one of you entities or you otherwise require any further
information in relation to the DPL, please get in touch with your regular
contact at Stuarts Walker Hersant Humphries.


This publication is for general guidance and is
not intended to be a substitute for specific legal

advice. Specialist advice should be sought
about specific circumstances.


If you would like further information please


Jonathan McLean


Tel: (345) 814-7930


Simon Orriss


Tel: (345) 814-7931

[1] The DPL defines data controllers as the person who, alone or jointly with others, determines the purposes,
conditions and manner in which any personal data are, or are to be, processed.

[2] The DPL defines personal data as data relating to a living individual who can be identified and includes
data such as: (a) the living individual’s location data, online identifier or
factors specific to the…identity of the living individual; (b) an expression of
opinion about the living individual ; or (c) any indication of the intentions
of [any person]…in respect of the living individual.

[3] The DPL defines data subjects as (a) an identified living individual; or (b) a living individual who can
be identified directly or indirectly by means reasonably likely to be used by
the data controller or by any other person.

[4] The DPL defines data processor as any person who processes the data on behalf of a data controller, but
does not include an employee of the data controller.

More from Stuarts Walker Hersant Humphries