Data Protection Law start date pushed back

An aerial view of the business area of downtown George Town, Grand Cayman. – Photo: Chris Court

Government is delaying the enforcement of the Data Protection Law, originally slated for Jan. 1, 2019, by nine months following representations made by the financial services industry.

The Data Protection Law regulates how businesses and government agencies must handle all personal data in the Cayman Islands and provides a framework of rights and duties designed to give individuals greater control over their personal data.

The law specifically covers how such data is collected, processed, stored or transmitted, particularly when dealing with government bodies, corporate entities, practices and firms.

The new commencement date of Sept. 30, 2019, is aimed to enable all entities impacted by the new law to be ready to meet its requirements.

Attorney General Samuel Bulgin said stakeholders in the financial services industry had sought more time to better prepare themselves for complying with the law. This included the completion of staff training, hiring new staff as needed, auditing existing data and establishing the needed administrative framework.

Mr. Bulgin said in a press release, “Government is hoping that the new starting date will allow all impacted by the law, including data controllers and employers, small and big, in the public and private sectors, sufficient opportunity and time to prepare and be able to comply with the requirements.”

The extra time would help mitigate the impact especially on small businesses which need to familiarize themselves and observe the law in all aspects when it comes into force, he said.

The delay would also give government the opportunity to embark on a public education exercise to improve compliance and to increase awareness among the general public of the various provisions of the law and their impact.

“Nevertheless, I expect significant segments of the local financial services industry – notably those that have business dealings with European entities – to be already familiar with the proposed Data Protection requirements, which are similar to the European General Data Protection Regulations (GDPR) which they would already have been observing,” the attorney general said.

Under the data protection law, anyone who controls personal data must provide considerable information at the time the data is collected, including why the data is processed and how it is safeguarded.

Individuals also have the right to request and access their personal data that is held by an organization, and data controllers have about 30 days to comply. As a result, companies need to have a system in place enabling them to find the information and report it to the individuals when requested.

Under the new law, it is also important not to keep any personal data longer than necessary. While there are no prescribed time periods, organizations need to analyze how long they should maintain personal data for a specific purpose.

The law was passed in House on March 27 and gazetted on June 5 this year. Once the law comes into effect, the Office of the Ombudsman will be regulating compliance with the law.