What: Guyana Data Protection Bill open for comments.
Deadline: May 3, 2023
- The Guyana Data Protection Bill is of the same genus as the Barbados and Belize equivalents. That is to say:
- heavy inspiration from the GDPR in terms of overall structure and mechanics; and
- evidence of inspiration from the UK’s 1998 data protection law in terms of enforcement mechanisms and registration requirements.
- The certification of compliance mechanism by the commissioner is a brilliant (and practical) move that will make data privacy compliance less of a game of ongoing uncertainty and more predictable for businesses.
- The Bill does not expressly make the Data Protection Commissioner independent but includes language making it difficult to remove the Commissioner without good reason. A step in the right direction in my view.
- Huge fines. Up to 4% of the annual revenue may be imposed as a penalty for non-compliance with Guyana’s privacy law where the offender is a company. As it uses the percentage mechanism (something missing from several other regional laws) it means that the penalties remain proportionate. The penalties are, therefore, less likely to completely bankrupt smaller businesses that run afoul of the law while still sending the apt signal when larger businesses breach the law.
- The Bill has sizeable (and impactful) administrative penalties that the regulator can directly enforce (equivalent to approximately 50,000 USD). For context, this is more than previously seen in the region (for e.g. the maximum administrative penalty in Barbados is closer to USD25,000)
- Specific liability for the leadership of offending companies. Directors and members of the C-suite of companies breaching the law will be liable, separate from the company itself. Liability will arise where the leadership knew what was going amiss and did nothing. Huge implications for corporate governance going forward.
A copy of the Bill as at April 16, 2023 is available on the Government’s website and below.