Mobile Menu

Privacy and Data Breaches In the Cayman Islands

October 2021 Róisín Liddy-Murphy

Since the introduction of the Data Protection Act (the “DPA”) in 2017, there has been a steady increase in the number of data protection breaches that have been reported to the Office of the Ombudsman . It is expected that this increase is set to continue considering the number of businesses that record personal information in respect of individuals particularly those of employees and clients in conjunction with the greater awareness and concern over individual’s privacy rights. In this regard, it is important for Cayman Islands entities that process personal data are aware of their obligations under the DPA and are in a position to recognise and adequately respond to a privacy breach or notifications that occur.

Application of the DPA

The first step in ascertaining as to whether or not the DPL is applicable to a Cayman entity is to establish if the entity is a data controller or a data processor.

  • A “data controller” is the person who alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be processed.

  • A “person” includes any corporation, either aggregate or sole, and any club, society, association, public authority or other body, of one or more persons.

  • A “data processor” is any person which processes personal data on behalf of a data controller but does not include an employee of the data controller.

  • The term “personal data” means data relating to an identifiable living individual referred to as a “data subject”. The data subject does not need to be in the Cayman Islands.

  • The term “processing”, in relation to data, means obtaining, recording or holding data or carrying out any operation or set of operations on personal data.

  • The term “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, access to, personal data transmitted, stored or otherwise processed.

The DPA defines “personal data” very widely and it is the data controller that is responsible for ensuring that the eight data protection principles are complied with when processing personal information.


To continue reading full articles in PDF format:
Privacy and Data Breaches In the Cayman Islands


Róisín Liddy-Murphy

Cayman Islands   +1 345 814 7371


"I enjoy working with them - they are very dependable, reliable and responsive."
- Chambers Global