Guide to Data Protection Act for Data Controllers


Note: This guidance is based on the United Kingdom’s Information Commissioner’s Office’s Guide to the General Data Protection Regulation (GDPR), available here.

The Data Protection Act (2021 Revision) (the “DPA”) is a powerful piece of legislation. It introduces globally recognized principles about the use of personal data to the Cayman Islands. The DPA aligns the Cayman Islands with other major jurisdictions around the world, notably the European Union, and thereby facilitates the free flow of data – a pre-requisite for the Cayman Islands being an equal and competitive participant in today’s globalized economy.

Moreover, the DPA provides a standard framework for both public and private entities in the management of the personal data they use. Internationally active organisations will find many similarities between the data protection act of the Cayman Islands and of other jurisdictions where they are active. The DPA aims to reduce the administrative burden of operating internationally and cement the Cayman Islands as an attractive jurisdiction in line with international developments.

The DPA also serves as a guide to provide assurance to individuals whose personal data is being processed. Indeed, where individuals feel that they are empowered to manage and control their personal data, they are more likely to share personal data with the organisation, to the benefit of both parties.

The Office of the Ombudsman is the Cayman Islands’ supervisory authority for data protection. As part of this role, the Ombudsman

  • hears, investigates, and rules on complaints;
  • monitors, investigates, and reports on compliance by data controllers;
  • intervenes and delivers opinions and orders related to processing operations;
  • gives orders on rectification, blocking, erasure, or destruction of data;
  • imposes temporary and permanent bans on processing;
  • makes recommendations for reform both generally and targeted at specific data controllers;
  • engages in proceedings where there are violations, and refer violations to the appropriate authorities;
  • co-operates with other supervisory authorities;
  • publicizes and promotes the requirements of the act and the rights of data subjects; and
  • anything else that is conducive or incidental to the Office’s functions.

The Office of the Ombudsman’s approach to data protection is a practical one. We recognize and respect the fundamental right to privacy. At the same time, we understand that fair and lawful processing of personal data is essential to the modern service economy.

The DPA is modelled on European data protection legislation.  Supervisory authorities and court decisions in the European Union will be an important resource for organisations and the Office of the Ombudsman in interpreting and applying the DPA. However, there are a number of differences between the EU legislation and the DPA which must be taken into account when interpreting the legislation. 

The guidance in this document is issued pursuant to sections 34(1) and 41 DPA. It aims to explain how the Office of the Ombudsman will likely interpret certain provisions of the DPA, and is not binding. 


We would like to thank all those who have contributed to this guidance, including Peter Colegate and Peter A. Broadhurst.

Previous Next