This article considers what an IP’s role is in respect of the recently enacted Data Protection Law, 2017 (“DPL”) and some practical considerations for IPs in the Cayman Islands when faced with managing personal data.

The DPL came into effect as of 30 September 2019. The Office of the Ombudsman is Cayman’s supervisory authority for data protection. The DPL applies to personal data processed by “data controllers” and “data processors”. Cayman financial sector entities established in the Cayman Islands will generally be considered “data controllers”, “data processors” or both. The DPL also applies to “processing” carried out by data controllers established within the Cayman Islands and to data controllers outside of the Cayman Islands that process personal data within the Cayman Islands. The DPL does not carve-out or exempt companies facing financial difficulties or in formal insolvency proceedings.  As a result, the DPL applies to insolvent companies and any appointment taker such as an IP in formal insolvency proceedings.

Definitions under the DPL

The first step in ascertaining whether or not the DPL is applicable to an IP is to establish if the IP is a data controller or a data processor.

  • A “data controller” is the person who alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be processed.
  • A “person” includes any corporation, either aggregate or sole, and any club, society, association, public authority or other body, of one or more persons.
  • A “data processor” is any person which processes personal data on behalf of a data controller but does not include an employee of the data controller.
  • The term “personal data” means data relating to an identifiable living individual referred to as a “data subject”. The data subject does not need to be in the Cayman Islands.
  • The term “processing”, in relation to data, means obtaining, recording or holding data or carrying out any operation or set of operations on personal data.
  • The term “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.

Under the DPL the data controller is responsible for ensuring that the eight data protection principles are complied with.

Stay current with our latest legal insights and subscribe today