The Cayman Islands Cabinet has proposed a start date of January 2019 for strict privacy protection rules that will affect every private and public sector entity involved in processing someone’s personal information.
Before that date, a “working group” consisting of both private sector leaders and government employees will review the law to help draw up plans to implement the paradigm shift in local privacy protection.
The working group will be chaired by Acting Information Commissioner Jan Liebaers. The seven-member panel will include local attorneys Peter Broadhurst, Tim Dawson, and Peter Colegate, as well as Cabinet Office staffers Nadira Lord and Garfield Ellison, and Paul Morgan of OfReg, Cayman’s utilities and commodities regulator.
Once the Data Protection Law takes effect, enforcement and monitoring will be the responsibility of the newly created Office of the Ombudsman. As of Wednesday, the government had not named anyone to fill the ombudsman’s post.
Mr. Liebaers said, while it appears the majority of the law’s provisions will come into force simultaneously, the working group would review possibly phasing in certain sections of the law, where necessary.
“In the course of drafting the regulations, the working group will likely consult with a wide variety of stakeholders, and we are also anticipating a general public consultation, subject to approval by the Cabinet,” Mr. Liebaers said Wednesday. “This is an important initiative that will protect the privacy rights of individuals and bring Cayman in line with its international business competitors.”
The legislation and accompanying regulations have major implications for local businesses and international firms in Cayman, as well as for any outside entities that have data processing functions here.
The law’s enactment is seen as vital to the financial services industry, which is keen to access European markets – most of which have been operating under data protection laws since the mid-1990s.
Mr. Liebaers said last month that Cayman businesses should start preparing now for the advent of data protection, but noted that many of the larger financial firms and law firms will already be quite familiar with the concept and already adhere to international best-practices. However, many smaller, locally operating companies may be unfamiliar or entirely unaware of what is required.
Mr. Liebaers said he hopes the legal changes will be viewed as generally positive.
“We’re at a point where … either individuals, by means of good laws and regulations, are going to retain some control over their personal information, or that control is going to be entirely lost and be entirely in the hands of private business and big government,” he said.
Mr. Liebaers said several key changes to the law were made from previous versions of the bill, most notably the exclusion of a requirement for government to maintain a register of all “data controllers” – those workers or business entities whose job it is to handle personal information.
The data controllers are given the responsibility of using an individual’s records “fairly,” processing that information only for the legal purpose for which it was provided. For instance, a bank teller giving out details of a person’s accounts to a third party, or accounts receivables clerk leaving records containing personal information out in a space where they can be viewed by other individuals, could land their employer – the “data controller” – in trouble under the new law.
Cybersecurity is vital when conducting business online, and becomes even more critical with initiatives such as e-government that Cayman is now moving toward, Mr. Liebaers said. He said a number of entities would probably have to look at basic encryption methods for data kept on computers and flash drives.
Compliance with the law can be particularly important during instances where data breaches occurred that are largely beyond the control of the company or entity involved, according to Maples attorney Martin Livingston.
“The law requires that a data controller has appropriate organizational and technical safeguards to ensure that there is no unauthorized use of personal data, or loss, damage or destruction of personal data,” Mr. Livingston said. “Therefore, [a company] will have a duty to implement such safeguards.
“Any liability for a hacking would therefore presumably depend on the extent to which the company has complied with such a duty and is able to demonstrate steps taken for the purposes of such compliance. It should also be noted that there is a duty to report any personal data breaches and what steps have been taken to mitigate against the adverse effects of the same.”
The law sets punitive measures for those who mishandle data, but protections have also been inserted for companies or public entities to allow them to make representations in their own defense to the information commissioner/data protection commissioner. Violations of the data protection requirements can draw up to $250,000 in fines, according to the law.
Compass journalist Kayla Young contributed to this report.