When the DPL takes effect, organizations will need to have a deep understanding of what personal data they possess and how they process it. They will need to demonstrate a clear oversight of personal data lifecycle management from data collection, usage, storage, sharing and destruction. This would make it easier to comply with new data subject rights such as right to stop/restrict processing, right of access.
1.Data Inventories and Mapping
A data inventory is an overview which includes all the necessary information about personal data processing, such as legal ground, purpose(s), categories of data, retention times, conducted risk analysis and the third parties it is shared with. This helps to mitigate the risk of data breaches which go unidentified or are discovered too late when damage has been done. The inventory will be used as a register of all the data processes within the organization.
2.Right to stop/restrict processing
Individuals have the right to stop or limit the way and purpose for which a data controller uses their data. This also includes the right for their personal data to be erased. Organizations need to create and/or maintain an efficient process on how to handle such requests. In addition, there is need to establish data retention periods and how to effectively and securely delete/destroy personal data once the purpose for processing is completed.
3.Right of Access
Individuals have the right to request copies of their personal data and other information about the processing such as purpose(s), categories of data, recipients with whom the personal data have been disclosed to, territories/countries outside the Cayman Islands with which you share or intend to share the personal data. Organizations need to implement processes to identify such requests, achieving clarity on which data needs to be provided, extracting the requested data efficiently and providing the data in a standardized form.
Due to the DPL, organizations will need to make changes to the ways technologies are designed and managed. In addition, there is also a need to implement security safeguards to ensure the protection of the integrity of personal data and to prevent misuse or unauthorized access to personal data. Some of these safeguards include data masking, pseudo-anonymization and encryption.
Data breaches which are likely to result in a risk for the rights and freedoms of individuals will now have to be reported to the Office of the Ombudsman and the affected individual(s). This must be done within 5 days of detection. This means organizations should revise their incident management procedures and consider processes for regularly testing, assessing and evaluating their end to end processes.
2.Privacy by Design
Although not mandatory, the concept of Privacy by Design (PbD) has been recommended by the Ombudsman. Organizations will need to ensure data protection safeguards that protect accuracy, confidentiality, integrity, physical security and deletion of personal data are at the forefront of the personal data management lifecycle. While organizations are not mandated to perform Data Privacy Impact Assessment (DPIA), it is suggested that a DPIA is performed. DPIAs are a proven and effective tool to assess privacy risks.
The DPL requires that every aspect of personal data processing is done securely by means of appropriate technical and organizational measures. Measures such as encryption can be implemented. This is useful and reduces the risk for personal data stages such as storing of personal data, transmission of personal data over a network, and personal data in use. Given the potential fines, organizations need to increase their focus on a robust information and cyber security regime.
Legal and Compliance
The DPL introduces new requirements and challenges for the legal and compliance functions. There is renewed emphasis on organizational accountability which will require proactive, robust privacy governance requiring organizations to review how they write privacy policies to make these easier to understand.
1.Privacy Notices and Consent
Organizations need to ensure that consent as one of the legal grounds for law was “freely given, specific, informed and unambiguous” while being able to demonstrate that these criteria have been met. In addition, organizations need consider carefully how they construct their public-facing privacy policies to provide more information.
The Ombudsman will be entitled to impose fines of CI$100,000 or imprisonment for a term of 5 years or both against the Data Controller. Monetary penalties of up to CI$250,000 may also be issued.
Restrictions have been placed on the transfer of personal data to countries outside the European Union (EU) and countries who do not offer adequate protection. If the organization is unsure, an authorization from the Ombudsman may be required before cross-border transfer can be done. Legal and procedural safeguards such as Data Transfer Agreements are allowed.
How Deloitte can help
- Deloitte has a dedicated team of privacy specialists, with deep expertise in leading privacy programmes across large scale and complex organizations, embedding change.
- Comprehensive DPL readiness assessment and compliance roadmap
- Privacy Impact Assessment (PIA)
- Personal data breach investigation and management
- Incident response and forensic investigation support
- Privacy by Design control framework
- Data discovery, mapping and inventories
- Policy analysis and design (such as Privacy policies & procedures, guidelines, privacy notices, cross border transfer mechanisms)
- Regulatory liaison advice
- DPL Technology Impact & Compliance Assessments
- Privacy Risk and Compliance training
Source: Content featured on this page is based on Deloitte research from the Office of the Ombudsman website.