Cayman Islands Data Protection Act 2017 (DPA)

Cayman Islands

v2017 (amended 2021)

6 domains

22 controls

The Cayman Islands Data Protection Act 2017 (as amended) establishes a comprehensive data protection framework for the Cayman Islands. The Office of the Ombudsman serves as the Data Protection Authority. The Act is modelled on the EU GDPR and includes data processing principles, individual rights, breach notification, and cross-border transfer provisions. Important for the Cayman Islands' significant financial services sector.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (6)

Cayman DPA: Controller Obligations and Breach

1 controls

Controls in the Cayman DPA: Controller Obligations and Breach domain of Cayman Islands Data Protection Act 2017 (DPA) — 1 controls
Code	Title	Description
CAYDPA-s16	Personal Data Breach Notification (s.16)	s.16: where a personal data breach occurs, the data controller must, without undue delay and in any event within 5 days...

Cayman DPA: Data Protection Principles (Schedule 1)

8 controls

Controls in the Cayman DPA: Data Protection Principles (Schedule 1) domain of Cayman Islands Data Protection Act 2017 (DPA) — 8 controls
Code	Title	Description
CAYDPA-P1	First Principle - Fair and Lawful Processing	Schedule 1, First Principle: personal data must be processed fairly and lawfully, and only if at least one Schedule 2 co...
CAYDPA-P2	Second Principle - Purpose Limitation	Schedule 1, Second Principle: personal data must be obtained only for one or more specified lawful purposes and not furt...
CAYDPA-P3	Third Principle - Adequate, Relevant and Not Excessive	Schedule 1, Third Principle: personal data must be adequate, relevant and not excessive in relation to the purpose(s) fo...
CAYDPA-P4	Fourth Principle - Accuracy	Schedule 1, Fourth Principle: personal data must be accurate and, where necessary, kept up to date.
CAYDPA-P5	Fifth Principle - Storage Limitation	Schedule 1, Fifth Principle: personal data must not be kept for longer than is necessary for the purpose(s) for which th...
CAYDPA-P6	Sixth Principle - Rights of Data Subjects	Schedule 1, Sixth Principle: personal data must be processed in accordance with the rights of data subjects under the Ac...
CAYDPA-P7	Seventh Principle - Security	Schedule 1, Seventh Principle: appropriate technical and organisational measures must be taken against unauthorised or u...
CAYDPA-P8	Eighth Principle - International Transfer	Schedule 1, Eighth Principle: personal data must not be transferred to a country or territory unless that country or ter...

Cayman DPA: Enforcement and the Ombudsman

3 controls

Controls in the Cayman DPA: Enforcement and the Ombudsman domain of Cayman Islands Data Protection Act 2017 (DPA) — 3 controls
Code	Title	Description
CAYDPA-s43	Complaints to the Ombudsman (s.43)	s.43: a person may complain to the Ombudsman that a data controller has contravened or is contravening the Act; the Ombu...
CAYDPA-s47	Right to Seek Judicial Review (s.47)	s.47: a person aggrieved by an order, determination or decision of the Ombudsman may apply to the Grand Court for judici...
CAYDPA-s55	Power of the Ombudsman to Impose Monetary Penalty (s.55)	s.55: the Ombudsman may impose a monetary penalty order on a data controller or processor for serious contraventions of...

Cayman DPA: Exemptions

2 controls

Controls in the Cayman DPA: Exemptions domain of Cayman Islands Data Protection Act 2017 (DPA) — 2 controls
Code	Title	Description
CAYDPA-s18	National Security Exemption (s.18)	s.18: personal data are exempt from the provisions of the Act where the exemption is required for the purpose of safegua...
CAYDPA-s31	Exemptions by Regulations (s.31)	s.31: further exemptions from the Act may be provided for by regulations; reliance on any such exemption must meet its c...

Cayman DPA: Rights of Data Subjects

5 controls

Controls in the Cayman DPA: Rights of Data Subjects domain of Cayman Islands Data Protection Act 2017 (DPA) — 5 controls
Code	Title	Description
CAYDPA-s10	Right to Stop Processing Likely to Cause Damage or Distress (s.10)	s.10: a data subject may by notice require a data controller to cease, or not begin, processing that is causing or likel...
CAYDPA-s11	Right to Stop Processing for Direct Marketing (s.11)	s.11: a data subject may by notice require a data controller to cease processing personal data for the purposes of direc...
CAYDPA-s12	Rights in Relation to Automated Decision-Making (s.12)	s.12: a data subject may require that decisions significantly affecting them are not based solely on automated processin...
CAYDPA-s14	Rectification, Blocking, Erasure or Destruction (s.14)	s.14: a data subject may apply to the court for an order to rectify, block, erase or destroy inaccurate personal data (a...
CAYDPA-s8	Fundamental Rights of Access to Personal Data (s.8)	s.8: a data subject is entitled, on request, to be informed whether personal data are processed and to be given a descri...

Cayman DPA: Schedules - Conditions and Transfers

3 controls

Controls in the Cayman DPA: Schedules - Conditions and Transfers domain of Cayman Islands Data Protection Act 2017 (DPA) — 3 controls
Code	Title	Description
CAYDPA-Sch2	Schedule 2 - Conditions for Processing (General Personal Data)	Schedule 2: at least one condition must be met for processing of general personal data to satisfy the First Principle (e...
CAYDPA-Sch3	Schedule 3 - Conditions for Processing Sensitive Personal Data	Schedule 3: additional conditions that must be met (in addition to a Schedule 2 condition) to process sensitive personal...
CAYDPA-Sch4	Schedule 4 - Transfers to Which the Eighth Principle Does Not Apply	Schedule 4: the circumstances in which a transfer of personal data to a country without adequate protection is nonethele...

Maps to 1 other framework

22 total controls

GDPR

10 source controls mapped|6 target controls covered

45%

Compare Cayman Islands Data Protection Act 2017 (DPA) with GDPR

Frequently Asked Questions

What is Cayman Islands Data Protection Act 2017 (DPA)?

Cayman Islands Data Protection Act 2017 (DPA) is a compliance framework from Cayman Islands with 6 domains and 22 controls. The Cayman Islands Data Protection Act 2017 (as amended) establishes a comprehensive data protection framework for the Cayman Islands. The Office of the Ombudsman serves as the Data Protection Authority. The Act is modelled on the EU GDPR and includes data processing principles, individual rights, breach notification, and cross-border transfer provisions. Important for the Cayman Islands' significant financial services sector. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Cayman Islands Data Protection Act 2017 (DPA) have?

Cayman Islands Data Protection Act 2017 (DPA) has 22 controls organised across 6 domains. The largest domains are Cayman DPA: Data Protection Principles (Schedule 1) (8 controls), Cayman DPA: Rights of Data Subjects (5 controls), Cayman DPA: Enforcement and the Ombudsman (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Cayman Islands Data Protection Act 2017 (DPA) map to?

Cayman Islands Data Protection Act 2017 (DPA) maps to 1 other compliance frameworks. The top mapping partners are GDPR (45% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with Cayman Islands Data Protection Act 2017 (DPA) compliance?

Start your Cayman Islands Data Protection Act 2017 (DPA) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Cayman Islands Data Protection Act 2017 (DPA) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required