Q. Based on your experience, do companies in the Cayman Islands properly understand their data protection duties? To what extent are you seeing rising awareness?
A. The Cayman Islands Data Protection Act (DPA) came into force in September 2019. The Office of the Ombudsman, which is the Cayman Islands supervisory authority for data protection related matters, has issued a Guide for Data Controllers, which aims to explain how the Ombudsman will interpret certain provisions of the DPA. The Ombudsman also has a clear and informative website. Parties must have a strong understanding of their data protection duties. This requires them to regularly review and prepare privacy notices, data protection policies and data processing terms, as well as conduct training and assess and report on data breaches. Many parties, particularly those which are global financial sector businesses, may find similarities between the data protection law of the Cayman Islands and of other jurisdictions where they are active, including the European Union's (EU's) General Data Protection Regulation (GDPR).
Q. When companies undertake data processing activities – including handling, storage and transfer – what regulatory, financial and reputational risks do they need to manage?
A. A broad range of entities undertake data processing activities. The DPA applies to Cayman Islands data controllers, which therefore bear direct regulatory risk, but does not have direct application to data processors, whose risk is contractual. The DPA applies regardless of whether the data subject is in the Cayman Islands. Both data controllers and data processors are exposed to financial and reputation risk arising from data breaches, as well as potential complaints and litigation risk from data subjects. Financial sector entities established in the Cayman Islands will generally be 'data controllers', 'data processors' or both. Even those financial services businesses whose clients and counterparties are all entities will nevertheless process personal data. For example, an investment fund with an entity investor will typically process personal data of that investor's individual representatives, directors and beneficial owners. Processing is often undertaken in the context of services provided for Cayman Islands entities by service providers, such as investment fund administrators or group entities.
Q. What penalties might arise for a company that breaches or violates data or privacy laws in the Cayman Islands?
A. The DPA provides a detailed framework for complaints to the Ombudsman and the Ombudsman's power to investigate. The Ombudsman has substantial enforcement powers under the DPA, including information orders, enforcement orders, inspection and seizure powers and monetary penalty orders. The DPA also provides for several offences, with penalties including fines of up to CI$250,000 – around US$300,000 – and imprisonment. Where an offence under the DPA has been committed by an entity, a director, member, secretary or similar officer of that entity may also be regarded as having committed that offence. In addition, all regulated financial sector business are also subject to Cayman Islands Monetary Authority (CIMA) regulation in relation to cyber security, in the form of a Rule on Cybersecurity for Regulated Entities and a Statement of Guidance on Cybersecurity for Regulated Entities. These rules and guidance overlap in scope with data protection requirements under the DPA and are enforceable by CIMA.
Q. What insights can we draw from recent data breach cases? What impact have these events had on the data protection landscape?
A. There have been four enforcement orders made by the Ombudsman to date, with the first in respect of the Registrar of Companies in August 2020, followed by further enforcement orders in respect of a local school and a retail chain, each in March 2021, and in respect of the Department of Agriculture in August 2021. These have all taken the form of findings, recommendations and decisions rather than imposing penalties. There have also been 16 published informal resolutions. These cases show that the Ombudsman is actively regulating a wide variety of breaches and complaints and will not shy away from holding government bodies, as well as the private sector, accountable. The Ombudsman has publicly stated that its primary goal is to help organisations become compliant and to support individuals in the exercise of their data protection rights.
Q. In your experience, what steps should a company take to prepare for a potential data breach, such as developing response plans and understanding notification requirements?
A. Data breaches continue to become more prevalent, and it is important that entities have a response plan in place. Timing to notify the Ombudsman and impacted data subjects and, if applicable, CIMA is very tight – five calendar days and 72 hours respectively – so a plan needs to be in place in advance. But the notification requirement is only one element. There are potentially many other aspects to consider in terms of managing legal and business risk, including containing and resolving the breach, preserving evidence, potentially obtaining legal advice on whether the breach is notifiable, and managing communications to impacted data subjects and, potentially, also customers generally, the wider public, the media, shareholders and other stakeholders, so as to minimise brand damage. Additional aspects include potentially ensuring communications are channelled via lawyers to preserve legal professional privilege over materials that may affect liability, and, where a breach involves a risk of identity theft or fraud, considering recommendations to customers, such as resetting passwords. Entities should also consider insurance coverage and ensure that insurers are notified promptly.
Q. What can companies do to manage internal risks and threats, such as rogue employees?
A. In addition to having a response plan in place, entities should identify their key data and key risks and apply resources accordingly. In addition to having a data protection plan and a response plan in place, it is important to be able to demonstrate an appropriate response to a data breach involving any staff. Employee training and awareness training is crucial, and entities may need to consider disciplinary action in respect of an employee who has not followed policy.
Q. Going forward, how important will it be for companies to remain focused on data protection efforts, continually enhancing their controls and risk management processes?
A. The Ombudsman takes all relevant circumstances into account when deciding on the appropriateness and severity of enforcement measures. However, as these expressly include the nature of technical and organisational measures taken by an entity, evidence of due diligence toward compliance with the DPA and the data controller's history of data protection compliance, it makes sense for entities to remain focused on data protection efforts not only from a commercial perspective, but also in terms of managing regulatory risk. It is important that controls are reviewed and refreshed on an ongoing basis to ensure they remain relevant, appropriate and well understood. This is an area where regulatory requirements align with good business sense.
Originally published by Financier Worldwide: Data Protection & Privacy Laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.