Beyond the 2019 Data Protection Act: Rebuilding Trust in Barbados’ Digital Future

Writing this article has been uniquely challenging—not because of its technical complexity, but because it requires balancing fairness with my conflicted feelings about how cybersecurity and data privacy have been addressed in recent times. With calls growing for the government to pause certain digital transformation initiatives due to concerns about cybersecurity readiness, I hold a more nuanced view. While readiness concerns are valid, I believe most projects should proceed—provided they are supported by robust safeguards and accountability measures to mitigate risks.

Digital Transformation in Barbados: A Critical Juncture

Several statutory corporations in Barbados are at pivotal stages of their digital transformation. The Transport Board has introduced cashless systems, the Barbados Revenue Authority (BRA) now operates primarily online, and the Queen Elizabeth Hospital (QEH) is transitioning to paperless operations. These initiatives, while innovative, have sparked public concern over cybersecurity vulnerabilities—particularly as they integrate cashless payments with the national ID program.

However, these cybersecurity concerns point to a deeper issue: the lack of robust Data Governance programs to guide these transformations effectively.

What is Data Governance and Why Does It Matter?

Data Governance refers to the policies, processes, and standards that ensure data is managed responsibly—kept accurate, secure, and compliant with regulations. It determines who can access data, how it is handled, and how privacy and security are maintained. For critical services like healthcare and public transportation, Data Governance is essential to mitigate risks, ensure compliance, and protect public trust.

This brings us to a glaring problem: our approach to digital transformation is putting the “cart before the horse.” While the Data Protection Act 2019 sets a legal framework, the government has not implemented three essential safeguards required to instil public confidence.

Three Key Safeguards for Rebuilding Trust

Appointing Data Privacy Officers (DPOs): The Data Protection Act mandates that statutory corporations appoint DPOs. Section 67 explicitly states that “the data controller and the data processor must designate a data privacy officer where the processing is carried out by a public authority or body.” A DPO ensures accountability by overseeing data protection measures and conducting Data Privacy Risk Assessments before launching large scale projects like a cashless payment system or going paperless as in the case with the QEH. Yet, to my knowledge, only the BRA has complied with this mandate.

Establishing a National Data Governance Framework: A comprehensive Data Governance framework is needed to clarify data classification—determining which information is private, classified, or public—and define access controls. For example, at the QEH, such a framework would ensure consistent handling of Electronic Medical Records (EMRs), improving security and interoperability across healthcare providers.

While a Data Governance program was submitted to Cabinet in 2022, its approval remains stalled. This delay undermines public sector initiatives and exposes critical systems to unnecessary risk.

Creating a Cybersecurity Authority: Section 62 of the Data Protection Act requires organisations to implement technical and organisational measures to secure personal data. However, the absence of a unified Cybersecurity Authority leaves a significant gap in enforcement and coordination across public agencies and critical infrastructure. While the Data Commissioner’s Office exists, its role is primarily quasi-judicial, focusing on compliance oversight and adjudication of personally identifiable data-related issues only.

A Cybersecurity Authority, in contrast, would have a cybersecurity operational mandate, including:

• Set and enforce national cybersecurity policies.
• Monitor and respond to emerging threats.
• Provide guidance, training, and resources to public agencies.
• Coordinate responses to cyber incidents across government and private sectors.

Such a body is crucial to protecting our critical infrastructure and ensuring consistent cybersecurity standards.

Addressing Readiness Concerns

Some have called for pausing digital transformation projects to address readiness gaps. While understandable, a full halt could slow desperately needed business transformation and deny citizens the benefits of modernised services. A balanced approach is preferable: advancing these projects while prioritising safeguards like DPO appointments, Data Governance frameworks, and the creation of a Cybersecurity Authority.

A Path Forward

The government’s digital transformation ambitions are commendable, but they must be matched with strong protections. By implementing these three safeguards, Barbados can:

• Can better protect its critical infrastructure from breaches and disruptions.
• Align public projects with global standards for data privacy and cybersecurity.
• Rebuild public trust in the safety and reliability of digital services.

In the end, these measures aren’t bureaucratic red tape—they are essential guardrails to ensure that digital progress doesn’t come at the expense of security or privacy. Barbados must seize this moment to build a digital future that is both innovative and trustworthy.

Conclusion

To thrive in the digital era, Barbados needs more than just technology driven projects—it needs to foster trust. By appointing Data Privacy Officers, finalising a Data Governance framework, and establishing a Cybersecurity Authority, we can safeguard our critical infrastructure, protect personal data, and empower citizens to embrace the benefits of digital transformation. With the right policies in place, our nation can secure a resilient and prosperous digital future.

steven@dataprivacy.bb