Ready or not, here it comes.
The Cayman Islands’ long-awaited Data Protection Law will come into force in less than three months, on 30 Sept. and the businesses that haven’t prepared for it, need to start doing just that.
That was a key message delivered by Deputy Ombudsman Jan Liebaers at the Cayman Islands Business Environment Update presented by the Cayman Islands Institute of Professional Accountants on 15 May at the Grand Cayman Marriott Beach Resort.
Liebaers explained that the Data Protection Law was a long time coming; after discussion in the 2000s, it spent about eight years in drafting and was finally passed by the Cayman Islands Legislation Assembly in May 2017. It was expected to come into force on 29 January 2019, but the effective date was postponed last November to September of this year.
Although there are some defined exclusions, at least parts of the law apply to almost everyone doing business in the Cayman Islands.
“This law applies so broadly that it applies to just about any activity you can imagine,” Liebaers said.
The law details how businesses and other entities must process personal data, which encompasses obtaining, recording, holding, organising, adapting, altering, retrieving, consulting, using, disclosing, aligning, combining, blocking, anonymising, erasing, destroying or any other process involving personal data.
Personal data relate to any living individual that can be identified directly or indirectly by the data and include everything from names, addresses, contact details, organisational memberships, opinions or various sensitive personal data. What is considered sensitive personal data is also widely defined. They include a person’s race or ethnicity, political opinions, religious or similar beliefs, physical and mental health conditions including genetic or any other medical data, details about their sex life, details about the commission or alleged commission of an offense, as well as results of any court proceedings, including their outcome.
Liebaers said there were eight principles of data protection, starting with fair and lawful use. Fair processing means the data subject should be informed by the data controller — the person who determines the purposes, conditions, and manner in which data is processed — who they are and for what purpose they will be using the subject’s personal data. This information should generally be provided at the moment it is being collected. To legally collect the data, there generally needs to be consent or a legal contract that requires the processing of personal data.
Another principle requires a purpose limitation — personal data can be used only for their original purpose. Other principles cover the minimisation of data collected; storage limitations; and the rights of data subjects to have access to the information collected, to request the data controller to update or correct errors in stored data and the right, in some cases, to have the data controller stop processing data.
As long as a business has personal data about people, it is responsible for it, Liebaers said.
“It’s a liability and you must provide the right to access,” he said. “Keep only what you need to keep for a long as you need to keep it.”
Data controllers must also keep any stored data secure and confidential and transfer the data internationally only to jurisdictions that have adequate data protection laws. In addition, if a data controller shares personal data with a third party — like when outsourcing back-office functions — there must be a data-processing agreement in place and the “data processor” can act only on the instructions of the data controller.
One of the things Cayman Islands businesses should do as a matter of priority, if they haven’t already, is create a data map of all the data they hold.
The data map would identify all personal data belonging to customers, clients, suppliers, pupils, patients or others held by a company — what it is; who has it; how, why, when and where they got it; and how long they’ve had it.
“And don’t forget your employees,” Liebaers said.
Data subjects could, within their rights, come to a business and say they want to see all the personal data a business has about them, Liebaers said.
“What are you going to do?” he asked. “Are you in a position to know where all that information is?”
Liebaers said that the Ombudsman website at ombudsman.ky/data-protection has a template businesses can use to map their data. Guidance notes and other information about the Data Protection Law are also available at that website for businesses, small entities and for individuals.
Once the law goes into effect, the Ombudsman’s office will be charged with monitoring and enforcing of the law. Liebaers said he didn’t want to speak too much about enforcement at this point because some of the internal processes are still being sorted out.
However, any breaches of the law could be punishable by substantial fines. Liebaers said the Office of the Ombudsman was desirous of taking a risk-based approach to enforcement.
“We’re not going to come down hard on you if the impact (of a breach) is not serious,” he said. “But we are taking this seriously.”