Barbados’ privacy blind spot and why cybersecurity isn’t enough

Could businesses be abusing the rights of clients and customers—without even realising it?

Lately, I’ve noticed more and more business leaders—and even some public officials—confusing data protection with cybersecurity. To be fair, the mix-up is understandable. “Cyber” has become a catch-all term for anything involving data, and the word “protection” naturally brings to mind security tools like firewalls or antivirus software.

But this conflation has real consequences.

When businesses equate privacy with security, they risk overlooking their legal and ethical obligations to handle personal data fairly, transparently, and with respect for individual rights. And in a country where the law is called the Barbados Data Protection Act, 2019 (DPA), the confusion is compounded. In hindsight, had it been called the Barbados Data Privacy Act, perhaps it would have offered the upfront clarity—and distinction—we so clearly need.

Data protection vs cybersecurity:  Understanding the core difference

While often used interchangeably, data privacy and cybersecurity are not the same. Cybersecurity is primarily about protecting systems and networks from unauthorised access, attacks, and disruption. It focuses on defending infrastructure, endpoints, and data from external and internal threats.

Data protection, as envisioned in DPA, is concerned with how personal information is lawfully collected, used, stored, shared, and eventually deleted. It focuses on the rights of individuals and requires organisations to be both responsible and transparent in how they handle personal data.

Think of it this way: cybersecurity locks the doors and windows; data protection decides who is allowed in, why, and what they’re permitted to do once inside.

Why the focus now?

So why raise this now, you may ask? Because it’s been five years since the DPA was passed, and yet many organisations are still missing the basics—like having a clear privacy notice or ensuring their staff are trained to handle personal data responsibly.

And what do I mean, exactly?

Just recently, I visited a well-known, long-established retail merchant. At checkout, a friendly employee asked if I had their membership card. I said ‘no’. She then asked if I’d like to join. What she didn’t mention was anything about a privacy notice, or how my personal information—name, phone number, email, purchase history—would be collected, used, stored, or safeguarded.

The fact that a well-meaning employee could collect personal data without any reference to customer rights speaks volumes. But it also highlights a second issue: an uninformed public. Too often, individuals are asked to hand over their personal data without being told how it will be used—or even that they have rights under the law. That’s not just a business gap; it’s a public awareness challenge, and one that perhaps now requires greater effort from the government itself.

So, what should the public know?

At a minimum, every citizen should be aware that they have rights under the DPA whenever their personal data is collected. These include:

• The right to be informed – You have the right to know why your data is being collected, how it will be used, and who it may be shared with—even after you’ve handed it over. Businesses must remain transparent not just at the start, but throughout their use of your information.
• The right to access – You can request a copy of the personal data a business or organisation holds about you—typically provided in a format like a PDF or Excel file.
• The right to Rectification – If your information is incorrect or incomplete, you have the right to request that it be corrected.
• The right to erasure – In some cases, you can ask for your data to be deleted—if there are no outstanding contractual obligations or legal requirements that require the business to retain it.
• The right to object – You can object to how your data is being used, especially for marketing purposes such as unsolicited emails, text messages, or promotional outreach.
• The right to withdraw consent – If you previously gave permission for your data to be used, you can later change your mind and withdraw that consent—again, provided there are no unresolved legal or contractual obligations.

What businesses should be doing

Five years on, many businesses still treat privacy as an afterthought. But under the DPA, it’s a legal obligation—and a trust issue.

Here’s what every business should be doing:

• Post a privacy notice – Clearly explain what data you collect, why, and how it’s used—before customers hand it over.
• Train your staff – Ensure employees understand what constitutes personal data, when and how to obtain consent, the broad outlines of your data policy, and how to handle individual rights requests.
• Know your data – Track what you collect: customer info, emails, including CCTV footage, especially if used to identify individuals. In many cases, this footage amounts to sensitive data, which must be handled with extra care.
• Assign responsibility – Appoint someone to oversee privacy and liaise with the data commissioner if needed.
• Review your vendors – Ensure third-party providers (e.g. payroll like Pay-Pak or cloud tools like email services) also follow privacy rules—you remain legally accountable.

The way forward: Leadership through privacy

In a digital world, privacy is no longer optional. It’s a strategic advantage—and the businesses that lead on privacy will lead in trust, loyalty, and long-term success.

Yet compounding the challenge is the absence of visible enforcement. To date, there have been no publicly disclosed penalties or sanctions under the Data Protection Act. While the data commissioner’s office may be focusing on awareness and capacity-building before consequences, the absence of visible cases risks normalising non-compliance.

This regulatory silence may unintentionally signal that privacy obligations can be deprioritised. But that’s precisely why forward-thinking organisations must embrace privacy proactively—not out of fear of penalties, but because it’s the right thing to do. In fact, in the absence of visible enforcement, leadership becomes even more critical.

When businesses understand the difference between cybersecurity and data privacy—and take deliberate steps to build a privacy program—they don’t just tick a legal box.

They build:

• Credibility
• Customer trust
• Operational clarity

Customers benefit from:

• Greater transparency
• More control over their personal data
• Increased confidence when sharing information

Businesses benefit from:

• Fewer legal and reputational risks
• Stronger, more loyal customer relationships
• Clearer internal practices that reduce complaints and missteps

By treating data privacy as a core business principle—not just a compliance requirement—Barbadian businesses can lead by example and help shape a more responsible digital economy.

steven@dataprivacy.bb