Data Protection Guide

Travel restrictions and social distancing resulting from the COVID-19 pandemic have accelerated the widespread use of technology in business and personal transactions and communications. Most online services and apps require certain personal information for identification purposes. Businesses should beware of the laws relating to collection, processing, retention, sharing and disposal of personal data. On a national level, public health authorities in various jurisdictions have sought to collect and share medical data as part of the effort to combat and contain the spread of the virus. One unanticipated consequence has been the huge increase in the collection of personal data, particularly those relating to infected people's age, gender, occupation, residential address and all the places where they have been during the period leading up to testing positive. Whilst governments may be able to rely on national security or public interest exemptions under local data protection laws to collect and share personal data during times of crisis, individuals are increasingly concerned about how their personal data may be used, with whom it may be shared and the impact on their rights.

Appleby has launched an Offshore Data Protection Guide to provide a detailed overview of the privacy and cybersecurity regimes in Bermuda, the British Virgin Islands, the Cayman Islands, Guernsey, the Isle of Man, Jersey, Mauritius and the Seychelles. In addition to outlining local data protection frameworks, the guide provides valuable regulatory information on everything from collecting personal information and obtaining valid consent to law enforcement and international transfers of personal data.

A copy of the guide is available here.


The Digital Asset Issuance Act 2020 (DAIA) became operative on 6 May 2020 and effectively transferred the responsibility for the administration of offerings of digital assets to the public from the Registrar of Companies to the Bermuda Monetary Authority (BMA). An overview of DAIA has been included in our last update which can be accessed here.

In connection with DAIA, the BMA has published:

  1. Notice - Digital Asset Issuance Statement of Principles and Digital Asset Issuance Rules 2020;
  2. Notice - Digital Consultation; and
  3. Consultation Paper - Digital Asset Business Accounts Rules 2020 .

The notices were published as required by DAIA in relation to certain matters which shall be complied with by all authorised undertakings where applicable.

Industry players and stakeholders are encouraged to submit their comments to these consultations. In addition to traditional means of responding to consultation, responses can now be provided through a new online tool which allows responses to be sent via tablet/mobile devices. The new pilot tool may be rolled out to other consultations going forward, depending on feedback. The BMA hopes to create an efficient consultation process by creating a fully digital environment.

Cayman Islands

The VASP Law

The Virtual Asset (Service Providers) Law, 2020 (VASP Law) was gazetted on 25 May 2020 and aims to promote the use of new technology and innovative enterprise in the Cayman Islands while complying with newly adopted international standards set by the Financial Action Task Force. An overview of the VASP Law was included in Q2 2020 update which can be accessed here. The VASP Law is not yet in force; we await the gazetting of a commencement order.


On 27 May 2020, the Cayman Islands Monetary Authority (CIMA) gazetted Rule - Cybersecurity for Regulated Entities and Statement of Guidance - Cybersecurity for Regulated Entities. In response to the increasing importance of technology and innovation in the conduct of businesses by regulated entities, CIMA sets out certain principles and minimum expectations in the implementation of robust cybersecurity measures and management of cybersecurity-related risks. The Rule and the Statement of Guidance will come into effect within six months of 27 May 2020. All entities regulated by CIMA will need to comply with the Rule.

Cybersecurity policies and procedures are expected to be documented and subjected to internal audit or assessment. Regulated entities must also demonstrate that data protection is part of their strategy and that their cybersecurity framework takes into consideration the provisions of the Data Protection Law, 2017 (see the "Data Protection Guide" section above).

Originally published 18 August 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.