Answer ... The Data Protection Law is effective from 30 September 2019 and provides a framework of rights and duties designed to give individuals greater control over their personal data (ie, any information relating to an identified or identifiable natural person). It was implemented with the specific aim of achieving compliance with EU requirements for personal data to flow freely between EU member states and the Cayman Islands without the need for additional mechanisms to be implemented.
The Data Protection Law applies to personal data processed by ‘data controllers’ and ‘data processors’. Financial sector entities established in the Cayman Islands will generally be data controllers and/or data processors, as will data controllers and/or data processors outside the Cayman Islands that process personal data within the Cayman Islands.
In general terms, the Data Protection Law:
- requires relevant persons to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on their behalf pursuant to a written contract;
- includes provisions with respect to data security, data breaches and the rights of individual data subjects, including providing a privacy notice;
- includes provisions giving individuals the right to access personal data held about them and to request that any inaccurate data be corrected or deleted; and
- requires businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.
Although prescribed data retention periods are not set out in the Data Protection Law, analysis will need to be undertaken on a case -by-case basis to determine how long data should be retained.
The Information and Communications Technology Authority (ICT) is an independent statutory authority in the Cayman Islands which is responsible for the regulation and licensing of telecommunications, broadcasting and all forms of radio, including ship, aircraft, mobile and amateur radio. The ICT conducts the administration and management of the ‘.ky’ domain, and also has a number of responsibilities under the Electronic Transactions Law.
The Computer Misuse Law includes various provisions dealing with such matters as:
- unauthorised access to computer material;
- unauthorised access with intent to commit or to facilitate the commission of further offences;
- unauthorised modification of computer material;
- unauthorised use or interception of computer service; and
- interference with computers that causes them to cease to function.
CIMA has additionally published guidance notes with respect to cybersecurity and the need for licenced entities to take steps to implement prudent cybersecurity measures. The guidance notes also require certain cybersecurity breaches to be disclosed to CIMA.