Skip to main content

Cayman Islands Data Protection law takes effect

30 September 2019

Make an enquiry

The Data Protection Law, 2017 (the “Law”) came into effect on 30 September 2019 and Lesley Connolly, Regional Head of Regulatory Compliance Services and Operations, shares all you need to know about this new law.

The Law, which focuses primarily on the protection of personal data, introduces eight data protection principles, grants various rights to data subjects, imposes various obligations on data controllers (including as relates to notification of personal data breaches), creates offences and sets out the enforcement measures for non-compliance (including imprisonment and significant fines and penalties), and establishes the functions of a Commissioner. The Law adopts many approaches and definitions from the European Union’s General Data Protection Regulation (GDPR), which does not directly apply to individuals and businesses within the Cayman Islands, and the additional requirements of the GDPR will constitute best practice in the Cayman Islands.

While penalties for breaches are not in the range of those levied by GDPR, they’re significant. Read on to understand the scope, application, penalties for breaches and next steps to take if your business processes personal data in the Cayman Islands.


The Law applies to data controllers that are (i) established within the Cayman Islands and processing personal data in the context of that establishment, or (ii) established outside the Cayman Islands but processing personal data within the Cayman Islands. Cayman Islands companies, partnerships and foreign companies are treated as being established within the Cayman Islands, as are any persons carrying on any activity through an office, branch or agency or regular practice.


The data protection principles, in summary, require the personal data to be (i) processed fairly, (ii) obtained for one or more lawful purpose, (iii) adequate, relevant and not excessive for such purpose, (iv) accurate and kept up to date, (v) not kept for longer than is necessary for such purpose, (vi) processed in accordance with the rights of the data subject under the Law, (vii) protected, through appropriate technical and organizational measures, against unauthorised or unlawful processing and against accidental loss, destruction of damage, and (viii) not transferred to a country or territory unless such country or territory ensures an adequate level of protection to data subjects.


The rights of data subjects under the Law include (i) the right to be informed by a data controller whether his/her personal data is being processed and to be provided with certain information relating to the personal data being processed and a copy of such personal data, (ii) the right to require a data controller to cease processing (including for a specified purpose or in a specified manner) or not to begin processing his/her personal data, (iii) the right to require a data controller to cease or not to begin processing his/her personal data for the purposes of direct marketing, and (iv) the right to require a data controller to ensure that it takes no decisions that significantly impacts him/her based solely on processing by automatic means his/her personal data.

A data subject is able to make an application to the Commissioner for an enforcement order where the data controller fails to comply with a request or notice made by a data subject. The Commissioner has been granted broad enforcement powers and, in addition to requiring a data controller to take steps or refrain from taking steps in relation to processing personal data, can do anything that appears to the Commissioner to be incidental or conducive to the carrying out of its functions under the Law. The Commissioner may issue an order requiring a data controller to rectify, block, erase or destroy personal data and notify third parties to whom such data had been disclosed of the rectification, blocking, erasure or destruction.

Failure to comply with an information requirement, enforcement order or monetary penalty order made under the Law is an offence, which carries liability on conviction to a fine of approximately US$120,000 and/or imprisonment for five years.


The Law requires that, in the event of a personal data breach, the data controller notify the relevant data subject and the Commissioner without undue delay and within five days. A notice of a personal data breach is required to describe (i) the nature of the breach, (ii) the consequences of the breach, (iii) the measures proposed to be taken to address the breach, and (iv) the measures recommended by the data controller to the relevant data subject to mitigate the possible adverse effects of the breach.

Failure to comply with the provisions relating to the notification of personal data breaches is an offence, which carries liability on conviction to a fine of approximately US$120,000.


The Law creates various other offences, including in relation to obtaining, disclosing and procuring the disclosure of personal data without consent of the data controller and sale of personal data. It’s important to note that a director, secretary or similar officer of a body corporate (and any person purporting to act in any such capacity), which has committed an offence under the Law, also commits the same offence if it’s proven that the offence was committed with the consent or connivance of, or was attributable to any neglect on the part of, such director, secretary or officer.

The Commissioner has the power to impose a monetary penalty on a data controller if the Commissioner is satisfied that there has been a serious contravention of the Law and such contravention was of a kind likely to cause substantial damage or distress to the data subject. The maximum penalty permitted under the Law is approximately US$300,000. Unless otherwise provided in the Law, an offence under the Law attracts a fine of approximately US$12,000 on summary conviction or approximately US$24,000 on indictment. Fines imposed under the Law are in addition to the monetary penalty mentioned above.


Any person who processes (or who is not certain that he/she does not process) personal data, whether individually, through a company or partnership formed or registered in the Cayman Islands, or otherwise within the Cayman Islands, should:

  • seek appropriate Cayman Islands advice with a view to ascertaining its status as data controller or data processor
  • determine and document what personal data is being processed, how and why
  • establish policies and procedures to govern data processing activities and ensure compliance with the Law
  • create a privacy notice to inform clients and employees, if applicable, of the type of data held and the purpose(s) for which such data is being held
  • if not established in the Cayman Islands, appoint a local representative


We understand that your privacy is important. Therefore, we respect and protect your right to privacy and will process your personal data in accordance with the provisions of the GDPR and the Law.