The Cayman Islands Data Protection Law, 2017 ("DPL"), which was expected to come into force in January 2019, will now not come into force until September 2019. The Office of the Ombudsman has issued a Guide for Data Controllers which aims to explain how the Ombudsman will interpret certain provisions of the DPL. Businesses are therefore well-positioned to prepare.

Overview of the DPL

International financial sector businesses will find many similarities between the data protection law of the Cayman Islands and of other jurisdictions where they are active. The DPL requires a data controller to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on the data controller's behalf pursuant to a written contract. The DPL deals also with data security, data breaches and the rights of individual data subjects, including providing a privacy notice.

The DPL applies to personal data processed by "data controllers" and "data processors". Financial sector entities established in the Cayman Islands will generally be "data controllers", "data processors" or both. The DPL applies to processing carried out by data controllers established within the Cayman Islands. In certain cases, it applies to data controllers outside the Cayman Islands that process personal data within the Cayman Islands.

Even those financial services businesses whose clients and counterparties are all entities will nevertheless process personal data. For example, an investment fund with an entity investor will typically process personal data of that investor's individual representatives, directors and beneficial owners.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.