On 27 March 2017 the Legislative Assembly of the Cayman Islands passed the Data Protection Law. When it comes into force, it will be the islands' first legislative initiative on the subject, according to the international law firm of Ogier.

The Law will come into force on a date set by Cabinet Order and different dates may be appointed for different provisions and in relation to different matters.

The international law firm of Ogier is urging Cayman financial firms and others to inform their staff about the Law and take the following proactive steps before its implementation.

• Understand your organisation's duties and the extent of any exemptions that may apply to it.
• Conduct an audit (whether formal or informal) of your organisation's current arrangements and understand how personal data is processed.
• Create or update your internal data protection policies and procedures (including procedures to validate information held about your 'data subjects,' i.e. the people about whom you hold data).
• Create or update your external data protection policies and procedures to inform your clients and employees about the data held on them and the purposes for which such data is processed.
• Agree to responsibilities within your organisation to ensure compliance with the Law and to enforce your privacy policies and to deal with information requests from data subjects.

A data controller is a person, firm or company who, alone or jointly with others, determines the purposes, conditions and manner in which any personal data is processed. The Law applies to any data controller in respect of personal data (a) that is established in the Cayman Islands and the personal data is processed in the context of that establishment; or (b) that is not established in the Cayman Islands but the personal data is processed in the Cayman Islands otherwise than for the purposes of the transit of the data through the Cayman Islands.

'Processing' means obtaining, recording or holding data, or carrying out any operation involving personal data, perhaps organising, adapting, altering, retrieving, consulting, using or disclosing data by transmission, dissemination or otherwise making it available or aligning, combining, blocking, erasing or destroying personal data. In other words, the term means any action, however tangential, to do with personal data.

'Personal data' is data relating to a living individual who can be identified and includes data such as information about his location and/or any 'online identifier' or anything specific to his physical, physiological, genetic, mental, economic, cultural or social identity. an expression of opinion about the living individual. any indication of the intentions of the data controller or any other person in respect of the living individual.

Data controllers will generally have to process information fairly and notify data subjects if they are doing so.

Banks' obligations: the basics

The Law, when activated, will oblige all data controllers to comply with a set of data protection principles that relate to the personal data that the data controller processes. Each data controller will also have to ensure that third parties comply with these principles if they are processing personal data on its behalf.

In order for a data controller to process personal data fairly (a requirement laid down in a 'data protection principle,' of which the Law contains many), the data controller must disclose its identity to the data subject, along with the purpose for which the personal data is being processed. In addition, one of the following preconditions must also be fulfilled.

• The data subject has given consent to the processing.
• The processing is necessary for the performance of a contract to which the data subject is a party or taking steps at the request of the data subject with a view to entering into a contract.
• The processing is necessary for legal compliance (other than contractual compliance).
• The processing is necessary to protect the vital interests of the data subject.
• The processing is necessary for the administration of justice or the exercise of statutory, governmental or public functions.
• The processing is necessary for the purposes of legitimate interests pursued by the data controller or the third party to whom the data is disclosed, except in cases where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

The Law affords added protection to 'sensitive' personal data (racial origin, political opinions, religious beliefs, medical data, sex life, criminal offences etc.).

Direct marketing

A data subject is entitled at any time to require the relevant data controller (within a reasonable time-frame) to cease, or not to begin, processing his personal data for the purposes of direct marketing. This kind of marketing is the communication (by whatever means) of any advertising material, or marketing material, that is directed to particular data subjects.

Automated decisions

A data subject is entitled at any time to order a data controller in writing to ensure that no decision he/it takes that significantly affects the data subject is based solely on the processing by automatic means of the data subject’s personal data for the purpose of evaluating the data subject’s creditworthiness, reliability, conduct or other things. If the data controller does take such a decision, it must tell him. He then has 21 in which to order the data controller in writing to reconsider the decision or to take a new decision on a different basis.

Offences

A partner in a partnership, or a director, manager, secretary or other officer of a bank or other company may be guilty of an offence in addition to the company if the offence is proven to have occurred with his consent or connivance or is attributable to his neglect. Offences under the Law include the following.

• Unlawfully obtaining or disclosing personal data.
• Unlawful sale of personal data.
• Failure to comply with an enforcement notice or an information notice.

Fines (not set yet) could be as high as CI$100,000 (US $122,000) and certain offences are to be punishable by imprisonment. Under the Law the Commissioner also has the right to serve a data controller with a monetary penalty order if the Information Commissioner (who has broad powers to issue orders and levy fines) is satisfied on a balance of probabilities that there has been a serious contravention of this Law by the data controller in question and the contravention was of a kind likely to cause substantial damage or substantial distress to the data subject. Monetary penalty orders could be as high as CI$250,000 (US $305,000).

The Law contains a number of very detailed exemptions and modifications that may apply in situations such as those relating to trusts, corporate financial services, national security, crime, health, education, social work, journalism, historical or scientific research, disclosures required by the law or legal proceedings and legal professional privilege.

* James Heinicke is available on +1 345 815 1768 or at james.heinicke@ogier.com; Cory Macculloch is on +1 345 815 1773 or at cory.macculloch@ogier.com; Ogier’s digest on the subject is to be found here.