As personal data develops into an increasingly valuable business asset, the Cayman Islands and Bermuda have responded by passing comprehensive data protection laws. Cayman’s Data Protection Law was passed in March 2017 and is due to come into force in January 2019, while Bermuda’s Personal Information Protection Act will come into full force in December 2018. Both laws support a growing expectation from international businesses and their clients that organizations operating in offshore centers have in place extensive data protection compliance policies backed up by robust data privacy legislation.
Drafted around a set of internationally recognized privacy principles, the new laws will provide a framework of rights and duties designed to give individual data subjects greater control over their personal data and, once in full force, will stand as the most comprehensive data protection laws in the region.
With less than 12 months before the new laws take effect, businesses in Bermuda and Cayman should start taking steps to achieve compliance. With fines of up to $250,000 per breach and possible imprisonment for no-compliance, organizations need to get it right — reputations and criminal liability will soon be at stake.
1) Conduct a personal data audit
Every organization, regardless of its size, uses personal data; data from which the identity of an individual can be ascertained. As an increasingly valuable business asset, personal data needs to be carefully managed and protected. The first step towards achieving compliance under the new law is to understand exactly what personal data the business uses, where that data is held, the purposes for which that data is used and where that data is transferred to and from.
Customer data
For consumer-facing businesses, personal data is often held in customer databases. In the era of mobile devices and cloud computing, however, identifying the full extent of an organization’s customer data holdings can be difficult, as the databases may not always be clearly marked out as such and may be distributed widely within an organization or held by third-party processors. Attention needs to be given to whether data is being collected online, via mobile handsets, through CCTV footage, telephone calls or in paper form and whether that collection is being done directly or through third parties. Engaging with HR, business development and technology teams is critical to successfully auditing all customer data holdings.
Both the PIPA and DPL define “personal data” widely to catch any data relating to a living individual who can be identified directly or indirectly from that data. Data that has been anonymized or aggregated may not strictly be personal data but should still be included as part of any audit. With the rise of social media and online public data sources, the ability to re-identify individuals from anonymized data sets is now easier than ever and is becoming increasingly common through the use of big data analytics.
Employee data
Employee data almost always includes “sensitive personal data” — which includes information about an individual’s health, religion and ethnic background. Sensitive personal data is a separate class of personal data under the new laws in both jurisdictions and is subject to enhanced protection before it can be processed.
Other personal data
Many organizations will also hold personal data about individuals who may not be their direct customers, such as directors, company officers and shareholders, as well as family members and other individuals who are connected to customers or employees. Any personal data that has not been directly obtained from a customer of the business will still be regulated by the new laws. It is therefore essential to identify data holdings of this type as the business may not have any direct contractual relationship with these individuals.
2) Determine the purposes of processing
Once all personal data holdings have been identified, the organisation needs to assess how the data was obtained and the purposes for which each group of data is being processed. One of the fundamental rights for individuals under the new laws in both Bermuda and Cayman is that personal data is only processed for purposes that the individual has been notified of in advance and has consented to. As part of this assessment, organizations should also consider their business plans to ensure that the collection and processing of data for any future initiatives or new technology deployments is also understood.
3) Map data transfers
In an age where highly sensitive personal data can be exchanged at the touch of a button, understanding where personal data is being transferred to from its different points of collection is vital. Data transfers can broadly be of two types — (i) third-party processor scenarios in which the recipient simply processes the data in accordance with the transferor’s instructions but has no right to process that data for any new purposes; and (ii) group transfers, which are transfers within the organization, to business partners or to affiliated companies that collaborate in determining the purposes for data processing. Both types of transfer will be relevant, although the compliance requirements will differ in each case.
Under both the DPL and PIPA, recommended best practice would be to put in place a contract between the controller and processor (or other controllers in the case of a group transfer) to ensure that any personal data is processed only for authorized purposes, that all data is stored and transmitted securely, and that disaster recovery practices are in place in the event of a data breach. Essentially, the contract should require the recipient of the data to level-up its policies and procedures for handling personal data to ensure compliance with the new laws.
4) Data access, correction, retention and deletion
Both laws give individuals the right to request access to personal data held about them by an organization and to ask that any inaccurate data is corrected or deleted. Businesses will need to have procedures in place to manage and act on these requests in a timely manner. Businesses will also be obliged to cease processing personal data once the purposes for collecting that data have been exhausted. Prescribed data retention periods are not set out but an analysis will need to be undertaken to determine how long data should be kept. Similarly, it will be important to evaluate how personal data can be securely purged once the purposes for holding it have been fulfilled by the organization.
5) A top-down compliance program
Implementing a data protection compliance program involves engagement with the right stakeholders across the organization and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies. A coordinated chain of command should be developed, together with written reporting procedures and protocols including seeking and complying with legal advice. The appointment of official roles such as a data protection officer is now a requirement in Bermuda and is recommended best practice in the Cayman Islands.
Compliance training will be required for personnel at all levels, including key external service providers. Serious misconduct should be addressed with appropriate disciplinary action at all levels of seniority. The compliance program should be reviewed regularly to take into account changes in the law, changes in the types of data being collected and the purposes for which that data is being used, and new technologies and operating procedures.
photo credit: marcoverch Himmel und See spiegeln sich in einer Glaskugel via photopin (license)