Data Protection Law Takes Effect on 30 September 2019


  Download as PDF

The Data Protection Law, 2017 (“DPL”), which was passed on June 5, 2017 and intended to take effect in January 2019, will come into force on September 30, 2019.

Based on the EU’s General Data Protection Regulation (EU/2016/679), the DPL introduces important rights and responsibilities as it relates to the use and processing of an individual’s personal data. The DPL applies to both individuals and organizations.

Personal data has been defined as data relating to a living individual who can be identified, directly or indirectly from that data. It includes data such as a living individual’s location, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual.


Individuals will now have the right to control how their personal data is collected and processed and will have the right to:

  • request access to personal data
  • know how the personal data is being used
  • know who has access to personal data
  • object to the processing of personal data for the purposes of direct marketing
  • stop the processing of personal data which is not necessary
  • request that personal data be rectified or erased
  • require that personal data not be transferred outside of the Cayman Islands without the necessary security protections.
  • receive compensation for damages incurred as a result of a breach of data protection
  • lodge a complaint with the Ombudsman 


The DPL applies to all businesses and organizations which collect and use personal data, in the Cayman Islands, irrespective of the size and nature of the business conducted. If the business or organization determines the purposes, conditions and means of the processing of personal data, alone or jointly with others (i.e. a data processor subject to written agreement), the DPL imposes certain obligations on it as a data controller to ensure that personal data is:

  • processed fairly and lawfully
  • collected and processed only for specified purposes
  • adequate, relevant and not excessive
  • accurate and kept up-to-date
  • retained only for as long it is necessary
  • processed in accordance with the individual’s rights
  • not subject to decisions made solely by automatic means on matters which will significantly affect the individual
  • protected through appropriate technical and organizational measures
  • transferred only to countries with an adequate level of data protection

It is expected that organizations will take the steps to convey the above information to all individuals whose personal data they collect and use e.g. customers, suppliers and employees and to implement policies and procedures to ensure proper protection of personal data. Failure to comply with the DPL could result in a data controller being liable on conviction to a fine of up to CI$100,000 or imprisonment for a term of 5 years or both. Other monetary penalty orders of an amount up to CI$ 250,000 may also be imposed.

For more information, contact Gina M. Berry or Francine Bryce.

The information contained in this bulletin is provided for the general interest of our readers, but is not intended to constitute legal advice. Clients and the general public are encouraged to seek specific advice on matters of concern. This article can in no way serve as a substitute in such cases. Copyright ©2019 Higgs & Johnson. All rights reserved.

A ‘Stellar Team’ in the Cayman Islands

Higgs & Johnson has been lauded by IFLR1000 (2020 edition) for having “a stellar team” in the Cayman Islands...

A Top Tier Firm for the Last Decade

Higgs & Johnson has remained a top tier firm for the last decade as evidenced by IFLR1000’s recent release...