LAWS surrounding data privacy, security and protection — and compliance with those laws — have become increasingly important with the novel coronavirus pandemic accelerating the digital transformation of companies while also driving e-commerce.

But as countries like Jamaica and Barbados prepare to enhance e-government services with the roll-out of their respective national identity systems, the need for regulations and guidelines for data privacy and security becomes even more pronounced.

According to data privacy commissioner of The Bahamas, Michael Wright, “With the ongoing digitisation transformation of government services, it is believed that data protection would become a more topical piece among those utilising the services. As training, development and education offerings continue, data subjects whose personal information we protect should be more at ease.”

On this basis, regional information technology managed services provider Cloud Carib, on May 18, hosted a webinar exploring the topic ‘Caribbean Data Protection Acts: Expectations vs Reality’. Trinidadian data protection advisor Rishi Maharaj and Eamonn Sheehy, director of public sector at Cloud Carib, served as panellists.

Here are some takeaways.

Key facts

The Bahamas was the first Caricom member state to pass a data protection law back in 2003; however, the legislation became enforceable in 2007. According to The Bahamas’s Data Protection Commission, there were seven plus billion breaches between 2013 and 2018.

Following The Bahamas, Trinidad and Tobago introduced a data protection law in 2011 but which became partially enforceable in 2012.

Member countries in the Organisation of Eastern Caribbean States also have a Data Protection Bill which is provided as a complement to the Electronic Transactions Bill. Introduced in 2016, the legislation regulates the collection, use and disclosure of personal information as well as sets access rights.

While Jamaica and Barbados have led the new wave of data protection laws, territories such as the Cayman Islands, Bermuda, British Virgin Islands, and Belize have also embarked on passing legislation.

GDPR

The data protection laws in Jamaica and Barbados mirror, in most cases, the European Union’s General Data Protection Regulation GDPR) which views data privacy as a human right, falling under Article 8 of the Charter of Fundamental Rights of the European Union.

Although the GDPR was drafted and passed by the EU it also has mandates for organisations outside the bloc, so long as they target or collect data related to people in the EU.

Eight principles

There are eight principles that guide data privacy and protection:

(1) collection (2) accuracy (3) purpose (4) disclosure (5) moderation (6) length of time (7) restricted access and (8) jurisdiction.

Why should Caribbean countries be concerned?

While companies have benefited from an enhanced “digital presence” across the globe that allowed them to offer digital services and use technology in different ways, Maharaj pointed out that more and more citizens are becoming aware of the data they input online, the types of personal data companies collect on them, and the different ways in which the companies they interact with use the data.

In this regard, he argued that companies have a duty of care to their clients and customers who place their trust in them.

“If I have to do business with you or if you want me to do business with you and engage in services with you, obviously that will involve me giving certain types of personal data and I have to trust that you will utilisie my data in a transparent, accountable way; that you will put it in a secure place to protect that data; and that you will not use it in any other way than which we agreed it should be used,” he stated.

Moreover, he explained that citizens are now asking why companies want so much data, and the purpose for which they do.

“There’s a great movement in the Caribbean for countries to pass laws, not only to force companies to deal with the protection of data but to protect the data of citizens,” Maharaj noted.

What are the areas that data protection laws should address?

A company must determine if it is a data controller or a data processor, or both.

Sheehy explained that Cloud Carib is moreso a data processor being a shared services provider, but since it collects data on its employees it is also a data controller.

He further pointed out that contracts between data controllers and data processors should be clear, descriptive and detailed about the collection, use, transfer, and disposal of data.

“So we as service providers have to look at our own internal controls, look at the technology we use, and prove to the data controller that we can meet GDPR requirements,” the Cloud Carib director explained.

He added that the company has to also document what IT sytems are in place, where personal identifiable information is stored, what security protocols are in place to protect the data — both through external interface and internal controls — and who has access to data.

In countries like Barbados and Jamaica companies need to employ a data protection or data privacy officer within the respective organisations to ensure compliance with laws. They also need to take into account the penalties associated with breaches of data security.

Misconceptions

While citizens may believe that consent should be granted for the collection and dissemination of data, Maharaj said that companies are not always bound to ascertain consent. He pointed out that there other legal bases on which an organisation can process personal data — contractual arrangements, legal obligation (as in the case of companies who must satisfy anti-money laundering laws) and public service providers.

Another misconception he shared was that many believe data protection laws prevent innovation. Instead, Maharaj argued, they guide organisations in understanding the risks, the environment in which they are operating, and the need for proper risk assessment. In Jamaica and Barbados, for example, the laws require that companies conduct a data protection impact assessment to mitigate risks.

Some companies are of the view that they cannot employ a data management service provider or share information outside their jurisdiction, but Maharaj said this is a fallacy. Rather, laws require due diligence when sharing data with third parties and there should be data-sharing agreements that outline what type of data is being shared and why.

According to Sheehy, while the commissioner of data privacy in The Bahamas prohibits the sharing of data outside the country, in Barbados the law requires that the country receiving data should have an “adequate level of protection for rights and freedom”.

Difference in laws

While the legislations in Barbados and Jamaica require that companies employ a data privacy or data protection officer, The Data Protection Act in The Bahamas has no such provision.