‘Get familiar with data protection laws’

Companies should be aware of the risks of noncompliance under the new data protection law.

This caution has come from Managing Director of Privacy Advisory Services Rishi Maharaj, who indicated that the various fines could be detrimental.

The Data Protection Act, which was passed in August 2019 and proclaimed in March 2021, regulates the collection, keeping, processing, use and dissemination of personal data. It also governs the protection of the personal data of individuals.

Officials have not given a deadline for companies to become fully compliant with the Act, which carries hefty fines for breaches reaching up to $500,000 and jail time of up to three years.

Maharaj said it was critical for companies in Barbados and other countries with data protection laws to adhere to the requirements.

“Companies first need to understand that data protection is here and it is not going to go anywhere and you need to take the necessary steps in order to be able to comply with the laws: that would be first understanding the law and understanding your jurisdictions,” said Maharaj.

“There may be companies who may be multi-jurisdictional or a company that is looking to target EU nationals. You need to be aware of the laws and the compliance laws that fall under the EU. You need to know your customer, but you need to know your data. You need to know what data you collect, how you collect it, the total lifecycle from collection to use, to sharing, to transferring, to when you no longer need it anymore, and you need to do what we call a data mapping exercise or develop a record of processing activity,” he said.

“I know the Barbados law for example, speaks to that where comptrollers in Barbados and processors need to develop an active record of processing activity. You need to understand your data and everything about it and by that you will be able now to see where your gaps are in the organisation in the law and then filling those gaps with a proper compliance programme in place, because there are risks, and one of the risks is financial,” he added.

He said that in Barbados, while the fines under the Data Protection Act were not as exorbitant as in some other jurisdictions, it is still a fine nonetheless that is not good for companies depending on size and scope.

“That also has reputational damage towards it. So you need to be aware of that . . . ,” he said.

“Most of the regulators here in the region, even the ones in Barbados and Jamaica, are actively seeking guidance from the information commissioner office in the UK and other regulators in the EU, as to what they need to do to be effective regulators. And worldwide, regulators are now moving from the check box type of mentality to actively demonstrate that you are complying with the law,” he explained.

He made the comments while addressing a virtual Cloud Carib seminar on Wednesday on the topic: Caribbean Data Protection Acts: Expectations Versus Reality.

In his contribution, Director of Public Sector at Cloud Carib Eamonn Sheehy said government should question if there would need to be a review to some contracts as they carry out the digitisation exercise.

He said this was especially important given that most of the online services used in the region were housed in the US, which was not considered a “safe jurisdiction” for EU personally identifiable information data.

“The question is, do such contracts need to be renewed or reviewed to ensure compliance with GDPR? And it is worth, in that context, noting that based on the fact that countries like Barbados and Jamaica their GDPR model is very closely aligned to the EU and the EU does not recognise the United States as a safe jurisdiction for EU personally identifiable information data, that should at least put a flag up to say perhaps we need to review this,” said Sheehy.
(MM)