* About the Author updated September 20th, 2018.
The Cayman Island’s Data Protection Law (DPL), which aims to regulate the future processing of personal information, is due to come into effect in January 2019.
The DPL arrives shortly after the rollout of the EU’s new General Data Protection Regulations (GDPR) and is based on global, widely-accepted privacy principles, including core concepts such as notice, access, and disclosure to third parties. Similar to the GDPR, the DPL offers a framework allowing individuals to maintain more control of their personal information. Not surprisingly, as a result of the similarities in the goals both laws aim to achieve, many compliance requirements under the DPL mirror those obligations set forth under the GDPR.
The Cayman’s Office of the Ombudsman will be responsible for enforcing the DPL and has issued guidance of the steps that should be taken immediately to achieve compliance by the time the laws take effect.
Sandy Hermiston, Cayman Ombudsman, stated, “I want to encourage everyone who gathers personal data to take these ten steps to raise awareness, become familiar with basic concepts, and learn more about their legal rights and obligations. The time to prepare for compliance is now!”
The guidance, the Data Protection Fact Sheet—Ten Steps to Take Now, specifically explains the existence of overlap in the many definitions and requirements outlined under the GDPR and states that the legislation employs the EU data protection model. The Fact Sheet contains guidance on key areas such as impact assessments, data breaches, consent, and the legal basis for processing information. Much of the guidance includes direct references to the same key areas as described under the GDPR.
As stated by the Ombudsman, similarities between the DPL and the GDPR include an overlap in key definitions such as, “Personal Data,” “Data Controller,” “Data Subject” and “Data Processor.” However, there are additional similarities in key concepts described throughout both sets of laws.
For example, under both the DPL and the GDPR, data subjects must receive a substantial amount of information from data controllers at the time of data collection and processing. Such information must include the purposes behind the processing of the personal data, the safeguards in place to protect the data subject’s data, and the details relating to any data that may be transferred outside of the region. Both laws provide data subjects the right to obtain confirmation about processing and the ability to access their personal data, and both the DPL and the GDPR indicate an expectation for this type of information to be provided to data subjects via notice.
With respect to the retention of a data subject’s personal data, both the DPL and GDPR indicate general guidance that personal data should not be kept for longer than is necessary to fulfil the purpose for which it was collected. Both laws avoid establishment of specific retention periods, and as we know, local countries within the EU are permitted to establish specific retention
periods as they see fit. While both the DPL and GDPR require an analysis to determine an appropriate retention period based on different data types, under the GDPR, data controllers must inform data subjects of the time period determined. No such requirement exists under the DPL.
Moreover, the DPL and GDPR permit transfers outside of the Cayman Islands and the EU. Similar to the GDPR, under the DPL, contracts and model clauses can be put in place to control protection adequacy of data transfers with third-party processors or between members of the same group of companies. However, with respect to the treatment of data by data processors in particular, the GDPR sets out more-detailed requirements for processors than the DPL. Nevertheless, under the DPL, it is still recommended that specific contractual clauses—such as those stating, for example, specific security measures that should be in place—be put in place between controllers and processors, in order to achieve best practices.
Given that there is a great deal of overlap between the DPL and the GDPR, public and private sectors should consider assessing whether frameworks and procedures established to comply with the GDPR can serve as adequate protection measures to meet obligations under the DPL.
About the Author
Ms. Columbo leads eSpear’s global legal and compliance initiatives and oversees eSpear’s sales and customer support teams. Previously, Ms. Columbo worked for Brightstar Corp., a multinational wireless services provider and SoftBank company headquartered in Miami, Florida, as the company’s Associate Corporate Counsel, Global Ethics & Compliance.