EMEA Cybersecurity
Contact Us
Get A Quote

Join us on 25-29th October 2022
Harbor Club, Saint Lucia

Welcome to our Cybersecurity workshop

Do you want to speak with a cybersecurity expert? We got you!

GET IN TOUCH
DATA PRIVACY IN THE CARIBBEAN OVERVIEW

Become up to date with the new privacy legislations that are expected to be put into place in the near future

Bahamas
Jamaica
Aruba
Trinidad and Tobago
Bermuda
Curacao
Barbados
The Data Protection ACT was created in 2003 and protects personal information processed by private and public sectors.

Database registration is not necessary under Bahamas law, and there are no existing DPO or data breach notification requirement

Bahamas law does not restreict cross-border transfers, which can be made upon the express or implied consent of a data subject (Section 17(8) of DPA). There are no specific mechanisms that apply to international data transfers from the Bahamas.
Jamaica established the Data Protection Act in 2020 that details who the new law applies to and the requirements for personal data storage and handling. Under this Act, anyone who processes personal data or collects this data from individuals is considered a data controller and is responsible for adhering to the Act.

Regardless of a person's or organization's physical location, any data processed through Jamaica must adhere to the country's privacy Act.

Any data controller that is not established in Jamaica must appoint a representative. That representative must be a Jamaican resident, an entity established in Jamaica, or who maintains in Jamaica an office, branch or agency through which the person carries on any activity or a regular practice.

Data controllers must comply with data protection standards and must report data breaches within 72 hours.

8 Data Controller Standards
  • Fair and Lawful Processing: Data may only be prciessed if the subject consents to data procedssing, and this consent has not been withdrawn. For processing of sensitive data, this consent must be in writing.
  • Obtained only for specified Lawful Purposes: Data should be collected only for specfiied and lawful purposes and shall not be processed in any manner that is incompatible with those purposes
  • Data Quality: Personal data collected must be adequate, relevant and necessary relative to the purpose for which the data is prcessed.
  • Accurate and Up to Date: The data must be accurate and kept up to date when necessary.
  • Limited Retention: The data may not be kept for longer than is necessary and will need to be disposed of following regulations.
  • Processed in Accordance with the Rights of Data Subjects: A data controller must process personal data respecting data subject rights, such as the right to access the data and the right to prevent processing of the data in certain specified circumstances.
  • Protected by Appropriate Technical and Organizational Measures: Additional technical and organizational measures are required, as a data controller.
  • International Transfers: transfer of data outside of Jamaica is prohibited unless an adequate level of protection can be ensured.
Aruba's 'Personal Data Protection Ordinance' was enacted in 2011. The Ordinance protects the privacy of natural persons in both private and public sectors.

Specifically, the law applies to files kept by data controllers that have been collected in Aruba despite the current location of the files. If those files contain personal information about people living in Aruba, data is protected under the Ordinance.

There are restrictions on cross-border transfers in Aruba, but database registration is not required.

  • A DPO is not required
  • Data security breach notifications are not required
  • The Minister of Justice and Security enforces Privacy laws in Aruba
Trinidad's Data Protection Act was established in 2011 and protect personal privacy and information collected by public and private organizations.

In 2012, the Act was partially enacted and included Part I of the Act and various sections. Part II of the Act has not been passed, and no immediate timeline has been established for enacting the remaining parts of the DPA.

Some parts of the current Act are expected to change before becoming law but what those changes might be remains to be seen.
Bermuda's Personal Information Protection Act was created in 2016 and protects the privacy rights of individuals.

Under this Act, organizations that use information or collect data must adhere to the Act's privacy laws, including individuals' right to control how their personal information is used, organized, and shared.

The principal provisions of PIPA are not yet in force but are expected to come into force in 2022.

The government has appointed an independent Privacy Commissioner to enforce compliance. Bermuda's Privacy Commissioner has the task of providing detailed information to individuals and organizations and educating both companies and the public on privacy rights and requirements.
The Personal Data Protection Ordinance protects personal data in Curacao. However, there are no laws protecting databases or generalized data in Curacao.

Personal data cannot be collected without explicit permission and consent.

There are some exceptions to the collection and processing of personal data, including:
  • If processing information is necessary
  • For the performance of an agreement
  • Statutory obligation
  • Vital interest of the person concerned
  • In the interest of public duty
  • In connection with a legitimate interest of the processing party unless the interests or fundamental (privacy) rights of the person concerned prevail.
The Data Protection Act (the "Act") was passed on August 12, 2019, and came into force in March 2021. The purpose of the Act is to regulate the collection keeping, processing, use and dissemination of personal data and to protect the privacy of individuals in relation to their personal data.

  • Organisations will now have to consider drafting privacy policies to help users understand exactly.
  • Breach notification. When a data breach occurs, businesses will be obligated to alert the regulator in 3 days.
  • Businesses will have to implement mechanisms to facilitate requests from customers or employees (data subject access requests) to provide, edit or delete any of their personal information being processed by the organisation.
  • Following the proclamation of the Act, some organisations will also need to give consideration to hiring data privacy officers to have oversight of the privacy function internally and liaise with the regulator.
  • Breaches of the Act will expose businesses to significant fines of up to US$250,000.

Cybersecurity Risk Assessment

We have created a dynamic spreadsheet to track past and projected cybersecurity projects to facilitate ROI calculation.

If you need more information or a custom security assessment, get in touch with us.

BOOK A MEETING WITH US
phone-handsetcrossmenu