Skip navigation


Data Protection Law Postponed

Following representations from the Cayman Islands financial services industry, Cabinet has postponed the start date for the Data Protection Law, 2017, which was scheduled to come into force on 29 January 2019.

The new commencement date of 30 September 2019 is aimed to enable all entities impacted by the new law to be ready to meet its requirements.

Attorney General, Hon. Samuel Bulgin, QC, explained that stakeholders in the financial services industry had sought more time to better prepare themselves for complying with the law. This includes completion of training of their existing staff, new staff recruitment, as needed, auditing their existing data and establishing the needed administrative framework.

“Government is hoping that the new starting date will allow all impacted by the law, including data controllers and employers, small and big, in the public and private sectors, sufficient opportunity and time to prepare and be able to comply with the requirements,” the Attorney General commented.

Also, the extra time would help mitigate the impact especially on small businesses which need to familiarise themselves and observe the law in all aspects when it comes into force, he noted.

Additionally, the delay would provide the opportunity to embark on a public education exercise, which Government would use to bring greater awareness to the various provisions of the law and their impact on the general public to help with better compliance, he added.

“Nevertheless, I expect significant segments of the local financial services industry - notably those that have business dealings with European entities - to be already familiar with the proposed Data Protection requirements, which are similar to the European General Data Protection Regulations (GDPR) which they would already have been observing,” the Attorney General said.

The law, passed in House on 27 March 2017 and gazetted on 5 June 2017, was set up mainly for the protection of personal data relating to individuals.

The law specifically covers how to give effect to the rights of privacy of individuals in relation to personal data, including how such data are collected, processed, stored or transmitted, particularly in their dealings with government bodies, corporate entities, practices and firms.

The law was scheduled to come into force some 18 months after becoming a decree.

When the law comes into effect, the Office of the Ombudsman will be regulating compliance with the law.

For further information contact: Suzette Ebanks