Data protection law places new obligations on businesses

A new Data Protection Law now regulates how businesses and government agencies must handle all personal data in the Cayman Islands.

The new law, which was gazetted last week, was drafted around a set of internationally recognized privacy principles. It provides a framework of rights and duties designed to give individuals greater control over their personal data.

The law supports a growing expectation from international businesses and their clients that organizations operating in offshore jurisdictions have comprehensive data protection compliance requirements in place, backed up by robust data privacy legislation, law firm Appleby said in a press release.

Breaches of the new law can result in fines of up to $100,000 and five years’ imprisonment.

Appleby noted in the press release that under the law, obligations to collect personal data increase with new international data sharing regimes. These requirements would apply to any organization in Cayman that handles personal data.

Peter Colegate, a privacy and data protection specialist in the Corporate Department at Appleby, said under the new law, personal data is defined widely to include any data that allows an individual to be identified. All personal data must be processed fairly and lawfully and used for a legitimate purpose that the data subject has been notified of in advance through a privacy policy or similar notice, he said.

“Personal data holdings should not be excessive in relation to the purposes for which they are collected and must be destroyed in a secure way once those purposes have been fulfilled. Organizations must also put in place appropriate technical safeguards to protect personal data from unauthorized or unlawful processing,” he said.

Employer obligations

Cayman employers are required to set out both the purpose for which employee personal data is collected and with whom that data may be shared.

Employers must also notify employees if their personal data is transferred to any countries or territories outside of the Cayman Islands. Best practice would be for this information to be set out in a separate privacy notice which can be provided to the employee with their employment contract, the law firm states.

“A data protection policy should be tailored to an employer’s business to take account of the structure of its organization, resources and particular personal data which it may process. The policy must be communicated to employees and monitored over time to ensure compliance,” said Kathryn Rowe, senior associate at Appleby specializing in Immigration and Employment. “Ideally, the policy should identify a compliance manager who is responsible for reviewing, implementing and monitoring compliance with the policy.”

Third-party service provider relationships

Offshore financial centers are a prime target for cybercriminals because they tend to manage large amounts of sensitive data. As organizations increasingly outsource a significant part of their day-to-day operations to external service providers, these transfers also leave them vulnerable to attack.

Cybercriminals can easily identify and exploit weak links in the flow of information between an organization and its external providers, Appleby said.

Even personal data that has been anonymized or aggregated by an organization will still require careful handling. “The rise of social media and the increase in online public data sources means cybercriminals are now easily able to re-identify individuals by combining that information with the anonymized or aggregated datasets,” said Mr. Colegate.

“Contractual provisions should be put in place between the organization and the third-party service provider to ensure that any personal data is processed only for authorized purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited,” Mr. Colegate added.

Comments are closed.