In just under 3 months, Cayman’s Data Protection Law (DPL) will come into force. If you are only just turning your mind to it, complying with the new legislation will probably seem a daunting task, but there is still time to get ready for the September 30, 2019 effective date. The good news is, help is at hand.
What are the key priorities?
To give you a head start, we have set out below six key actions to prioritise now:
1. Update your data protection policy and procedures to reflect the necessary changes to ensure compliance with the DPL. Make sure you send an updated data privacy notice to your customers, and as required, it should be displayed on your website.
2. Perform a data mapping exercise to identify the personal data that you have, how it is
processed, how it is obtained and the service providers (i.e., third parties) it is shared with.
This information will help you assess which data processing activities must comply with the
DPL.
3. Review the basis under which personal data is collected and processed. Businesses may
only collect, and process personal data based on one or more prescribed processing
grounds (i.e. a: Fair and Lawfulness Use, b: Purpose Limitation, c: Data Minimization, d:
Data Accuracy, e: Storage Limitation, f: Respect for the Individual's rights, g: Security,
Availability, Integrity and Confidentiality and h: International Transfers). Changes may
need to be made to existing business processes to ensure compliance with the DLP.
4. Put in place adequate policies and procedures to enable you to respond to a data
breach and, where applicable, notify the Information Commissioner without undue delay,
but no longer than five days.
5. Data subjects will have new rights under the DPL, such as the right to know the purpose
for which their data is being processed, the recipients (or third parties) their data is being
disclosed to, the countries or territories outside Cayman their data is transferred to
(oriented to transfer), to be provided with access to their personal data and the right for
the data to be rectified, blocked, erased or destroyed whereinaccurate.
6. Identify any transfers of personal data outside Cayman (countries or territories) and make
sure that there is full compliance with the strict requirements under the DPL as to how
these can be done. Data transfer agreements should be in place.
7. Data retention periods are not defined in the DPL, however, each business should
determine how long data should be kept for. Similarly, it will be important to evaluate how
personal data can be securely deleted once the purposes of holding it has been fulfilled.
8. Failure to comply with the new DPL could result in fines of up to Cl$100,000 or
imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to
Cl$250,000 are also possible under the Law.
Help is at hand
The DPL will change the way you and your customers work together to ensure that data is secure and the rights of privacy of the data subject are respected. At BDO, our experienced Data Privacy team will help support and prepare you for the September 30, 2019 deadline. To get help with any final preparations or queries you have, please call Richard Carty at +1 (345) 943 8800 or email rcarty@bdo.ky.