The introduction of Cayman’s Data Protection Law will come in effect in January 2019, but local businesses and organizations need to be aware of a corresponding legislation coming out of Europe that is likely to impact them as early as this month.
The European Union’s General Data Protection Regulation, or GDPR, will come into force on May 25. While it sets a single data protection standard across the EU that gives individuals more control over their personal data, it does also apply to organizations outside of Europe.
Given the potential criminal liability and heavy fines of up to 10 million euros or 4 percent of an entity’s global gross revenue, businesses in Cayman need to be aware of their obligations under the European law.
The GDPR applies to any organizations that either offer goods and services to EU citizens or who monitor their behavior, such as tracking an individual’s internet activity to generate a profile of personal preferences.
Given the prevalence of European tourists and expatriates on the island and the international nature of many Cayman businesses, the European regulation is likely to impact most Cayman-based organizations.
However, few companies locally know that they are subject to European data protection rules, said Dean Lynee, managing director of Tri-Bridge Compliance Partners.
“Cayman overall is not aware of the law and the impact it has on individuals and entities,” he said.
Simply having a website that collects log-in information may be enough to fall within the scope of the law. The effect of the GDPR is therefore already visible on most websites, which must remind users if the site is using cookies to store user preferences and activity. Companies that send out regular email newsletters must now first get the consent of the email recipient. Providing a link to opt out of an email newsletter is no longer sufficient.
Given that there are many overlapping aspects of the GDPR and the Cayman Islands Data Protection Law, which comes into force next year, and because May 25 is only a few days away, Cayman business should accelerate their preparedness for both pieces of legislation, Mr. Lynee said.
“Companies that have to be compliant under the GDPR should think already about the Cayman Data Protection Law, which is very similar.”
New privacy rights
Under both the European and the Cayman data protection legislation, anyone who controls personal data must provide considerable information when the data is collected, including why the data is processed and how it is safeguarded.
Individuals also have the right to request and access their personal data that is held by a company, and data controllers have about 30 days to comply. This means companies need to have a system in place to find the information and report it to the individuals on request.
It is also important not to keep any personal data longer than necessary. There are no prescribed time periods within either law, so organizations need to analyze how long they should maintain personal data for a specific purpose.
Dawn Thomas, principal at consulting and technology services firm Solex, said the European law is directed at EU citizens, who have increased rights, and the types of companies that have EU citizens’ data.
She believes there is a misconception in many organizations that data protection compliance is merely a security issue. “But there is also a business impact in terms of policies and procedures, privacy notices and so on. There is a lot that goes into it,” she said.
To comply with the European and the Cayman Islands data protection legislation, organizations will have to undertake an internal analysis.
“You need to assess your company around how you are collecting the information, consent of the information, storing the information and processing the information. The ability to delete it, to review it, all of those things come into effect in relation to the data,” Ms. Thomas said.
Data security is the other part. Organizations must have taken appropriate measures, both in terms of IT infrastructure and organizationally, to prevent personal data from being processed without authorization and to protect against loss of data.
If a company’s systems have been hacked or information has been disclosed accidentally, both laws include an obligation to inform the regulators and anyone affected by the breach immediately.
Mr. Lynee said organizations are often not aware how much personal data they are collecting, who has access to it and how the data is processed. Many companies also mistakenly think that the law does not apply to them or the information they collect may be not relevant.
“Don’t take this lightly,” he cautioned.
Ms. Thomas advised that conducting an assessment was crucial, and organizations should take a holistic view: “You need to have someone who knows what that assessment looks like, not only from a business perspective in terms of processes, but also the technical side.”