In the past 3+ months, the Office of the Ombudsman, the supervisory authority with responsibility for enforcing the Data Protection Act, 2017, has issued three enforcement orders for breaches of Cayman’s privacy law.
Two of the enforcement orders are against private sector actors – Jacques Scott Group Ltd. in Case 201900212 and the St. Ignatius Catholic School in Case 202000820. The third enforcement order, Case 202000892, is against the Department of Agriculture.
In my view, the DoA order is the most interesting of the triad of decisions. The determination of the regulator turned on the question of whether the data controller had a valid lawful basis for processing activity (spoiler: it had none!). That should, perhaps, be the subject of a separate post, however.
The three enforcement orders bring to four, the total number of formal decisions issued by that British Overseas Territory’s regulator since the passage of its privacy law.
The important signal is that the Cayman regulator is continuing efforts to hold data controllers to account. That 3 of the 4 enforcement orders have come in short order of each other could be read as an uptick in general enforcement efforts of the regulator.
That said, it should be stressed that much of the Ombudsman’s work continues to take a light-touch approach. In addition to the four enforcement orders, the vast majority of enforcement activity has resulted in informal resolutions; 19 so far. Also, none of the investigations of the Ombudsman have resulted in monetary penalties to-date.
All three enforcement orders summaries are embedded below for convenience.