Law: The Data Protection Law, 2017 (Law 33 of 2017) (the Law) and the Data Protection Regulations, 2018 (SL 17 of 2019) (the Regulations)

Regulator: Office of the Ombudsman (the Ombudsman)

Summary: The Cayman Islands is an autonomous British Overseas Territory. The Data Protection Act (2021 Revision) (the Act), supplemented by the Data Protection Regulations, 2018 (SL 17 of 2019) (the Regulations) came into effect on September 30, 2019. The Act was drafted with the aim of achieving adequacy status with the EU under the GDPR.

The Act applies to any data controller that is established in the Cayman Islands and processes personal data or a data controller who is not established in the Cayman Islands but that processes personal data in the Cayman Islands, other than for the purposes of transiting such data. Notably, the Act states that data controllers not established in the Cayman Islands must nominate, for the purposes of the Act, a local representative established in the Cayman Islands who must be the data controller for the purposes of the Act and bear all obligations under the Act. Further, the Act and Regulations establish various data subject rights, such as the right to access, rectification, to be informed, and the right to file a complaint and seek compensation for violations of these rights. The Act and Regulations also set similar legal grounds for data processing as defined in the GDPR, and restrictions on data transfers. However, unlike the GDPR, there are no equivalent data protection officer appointments or Data Protection Impact Assessment requirements and matters such as data processing records are only addressed in general terms.

The Cayman Islands is also a member of the Caribbean Financial Action Task Force (CFATF) and an Associated Member of the Caribbean Community (CARICOM).