In 2017, the Cayman Islands passed the Data Protection Law (DPL), which will take effect in January 2019. Because it is a dependent territory of the U.K., the country’s laws are heavily influenced by U.K. law, and the new DPL reflects the General Data Protection Regulation (GDPR) in the United Kingdom. Furthermore, the Cayman Islands have long been familiar with issues of confidentiality and have noted issues in the offshore world emanating from data breaches such as the Panama Papers and the Paradise Papers.

The DPL provides for the appointment of a “data controller” in the Cayman Islands for entities that are established in the Cayman Islands or that process data there.

The principles of the DPL will be familiar to those who have been handling their organization’s implementation of the GDPR. The commissioner, as defined in the DPL, will enforce and monitor the DPL. Reference is made to two data categories—personal data and sensitive data—both of which are defined in the DPL. The DPL gives individuals the right to access their information and object to its processing, and it also grants them the right to request the information be amended or deleted.

The right to privacy was recognized as a fundamental human right in Article 12 of the 1948 Universal Declaration of Human Rights, and the EU developed the concept. These international agreements impacted the Cayman Islands as a dependent territory of the United Kingdom. Legislation in the mother country was changed to reflect developments in the EU, including the GDPR, which took effect in May 2018.

This regulation replaces the U.K. Data Protection Act and puts new responsibilities on employers to ensure compliance. GDPR principles will remain applicable in U.K. law even after the United Kingdom leaves the EU.


The enactment of the DPL is seen as vital to the financial services industry, which is keen to access European markets, most of which have been operating under data protection laws since the mid-1990s. This is an important and developing area of jurisprudence in the Cayman Islands. Employers may want to enact clear policies for handling personal data and make their staff aware of those policies and how they should respond to subject access requests. If there is a personal data breach that is likely to result in a risk to the rights and freedoms of an individual, the DPL requires that it be reported to the commissioner immediately. Employees have the right to request their personal, data, and employers may want to make arrangements to grant such access in the correct manner. These areas will be developed pragmatically as more legislation is introduced in the Cayman Islands.

Generally speaking, compliance with GDPR principles will ensure that organizations are also compliant in the Cayman Islands. However, the law requires employers and other organizations holding data in the Cayman Islands to appoint a data controller and monitor the interplay between local and international laws on the subject.

Written by Philip S. Boni of Higgs and Johnson and Roger James of Ogletree Deakins