March 31, 2021.
A proclamation issued a few days earlier has fixed that date to mark the Barbados Data Protection Act, 2019-29 coming into effect. Put another way: March 31 is when the privacy compliance landscape in Barbados will change immutably.
Since its passage in 2019, the Act has been widely acknowledged as being among the most advanced privacy laws in the Caribbean region. Why? The Act draws heavy inspiration from the European Union’s General Data Protection Regulation (GDPR). The GDPR is, arguably, the most comprehensive privacy law in the world today.
Practical changes coming with the Act include the following:
- Organisations will now have to consider drafting privacy policies to help users understand exactly how/why/where/when their information is being processed.
- Breach notification. When a data breach occurs, businesses will be obligated to alert the regulator in 3 days.
- For the first time, a number of businesses will have to implement mechanisms to facilitate requests from customers or employees (data subject access requests) to provide, edit or delete any of their personal information being processed by the organisation.
- Breaches of the Act will expose businesses to significant fines of up to US$250,000.
- Following the proclamation of the Act, some organisations in Barbados will also need to give consideration to hiring data privacy officers to have oversight of the privacy function internally and liaise with the regulator.
Not all provisions of the Act will become enforceable after March 31. Specifically, businesses in Barbados will not be obligated to register with the regulator as controllers or processors of data as the provisions creating this obligation have not yet been given the green light. There is no clear timeline for the proclamation of these provisions. It is presumed that these will be proclaimed after the regulator has set up a registry mechanism.
On a lighter note, the proclamation of the Act keeps my prediction of operationalisation by Q3, 2021 on track. In this regard, it is left to be seen how soon the Government of Barbados will move to officially appoint the regulator – the Data Protection Commissioner – and allocate resources to funding her office. It is not unreasonable to expect this move to happen soon, considering the Commissioner already has a duty to serve as the enforcer for another recently passed law: the Barbados Identity Management Act.