Caribbean privacy regulations fast-changing, complex
Twelve of the 15 CARICOM Members States and three out of the six CARICOM Associate Members have either enacted data protection laws or taken steps to do so. Ten years ago, only five countries had privacy legislation in place. Things have been changing fast.
In some countries laws have been brought fully into force while others have seen partial enforcement, and still in other countries there are only indications of laws to come. The Bahamas and St Vincent and the Grenadines, for example, had their privacy laws on the books from as far back as 2003. In other countries like Jamaica, the Data Protection Act 2020 became effective December 2023. The Organisation of Eastern Caribbean States (OECS) has a bill in place that it hopes will lead to unified legislation for territories that use the EC Dollar.
Despite all the movement on a similar path, the regulations in these countries do not all mirror each other. Interestingly, for example, Jamaica’s Data Protection Act does not include a risk threshold in determining whether a data subject must be notified of a personal data breach, unlike many of the other regional and international data protection laws.
Differences like that can make it difficult, particularly for companies that operate in several jurisdictions, to maintain effective oversight of their compliance obligations.
Businesses forced to change in complex regulatory environment
Understanding that the landscape is diverse, and complex is just one of the compliance challenges. Added to that are societal perceptions towards privacy and data protection and years of organisational culture pertaining to marketing, privacy governance, and the use of volumes of customer and employee data. Particularly for entities offering multiple products and services across jurisdictions, third-party risk is also a major consideration. Entities are now faced with the task of imploring their long-standing vendors and suppliers to update their data protection practices or risk being exposed to regulatory fines and potential reputational harm.
With a combined population of roughly 20 million, the CARICOM Member States and Associates Members are generally united by a common language (English) and their colonial history, with the exception of Haiti, Suriname and Curacao. However, business practices have grown to match not just each country’s size, but its particular industries. With close to three million residents, Jamaica is the most populous of the English-speaking countries, and Montserrat with about 5,000 being the least populous. Tourism is a main industry in many islands, but consumer services, banking and finance, manufacturing and petroleum are also significant.
Alignment with GDPR
One ground on which data protection in the region has seen some uniformity is in including aspects of the European Union’s General Data Protection Regulation (GDPR).
A 2020 study by the Economic Commission for Latin American and the Caribbean examined this alignment in the data protection laws of six countries— Antigua and Barbuda, The Bahamas, Barbados, Belize, Cayman Islands, and Jamaica.
“Three of the newer laws, Barbados’ Data Protection Act 2019, the Cayman Islands’ Data Protection Law 2017 and Jamaica’s Data Protection Act 2020, have at least one area of full alignment and several areas of substantial alignment. These recently enacted laws have benefited from being drafted to achieve close alignment with international best practice for data protection, following the adoption of the GDPR in 2016,” a report on the study said.
Regional and industry bodies creating own regulations
In line with the enactment of legislation, regional, national or industry bodies have also published their own data protection regulations. Not only are these organisations fulfilling their obligations under the respective laws, but they are also making it incumbent upon members or organisations with whom they have business contact to do the same.
The CARICOM Secretariat, for example, has developed its own data privacy rules, and the Central Bank of Barbados published its Technology and Cyber Risk Guideline in 2023.
Private companies and government agencies alike have been engaging privacy professionals to develop comprehensive programmes that cover everything from data mapping to breach reporting.
Conclusion
The development or enactment of data protection legislation in the Caribbean has been happening rapidly. With nations differing in size, economies and industries, the landscape is somewhat complex. However, organisations keen to be compliant have been engaging privacy professionals to develop full scale programmes.
It is important to note that having laws and regulations in place does not mean the absence of data incidents or breaches. In fact, having mandatory rules or guidelines to steer the response to these happenings is somewhat in anticipation of their occurrence.