What's happening with regional data protection legislation?

BitDepth#1355

MARK LYNDERSAY

AT A webinar on May 18, Eamonn Sheehy, public sector head of Cloud Carib and Rishi Maharaj, data protection adviser with Privicy, discussed the current state of data protection legislation in the Caribbean.

The region is on the cusp of big changes in the oversight of data handling within Caricom's borders, but it isn't clear that all the nation states of the archipelago are pushing in the same direction with equal enthusiasm.

The Bahamas led the adoption of data protection legislation in April 2007, followed by TT, which made its legislation enforceable in 2012.

Recent data protection laws in the Caribbean have been heavily modelled on the European Union's General Data Protection Regulations (GDPR), with Barbados and Jamaica enacting laws heavily influenced by the legislation.

The British Virgin Islands, the Bahamas, Bermuda and Belize are also following the model.

In TT, the Data Protection Act has been passed into law but has not been fully implemented, with legislation passed and a budget allocated to create an information commissioner's office.

There is no office. There is no information commissioner.

The TT Government has begun amending the act and is preparing for consultations with private and public sector stakeholders.

A draft bill is expected to be read in Parliament soon that will include provisions taken from GDPR to be in greater compliance with more recent legislation enacted in Jamaica and Barbados.

From a service provider's perspective, the greatest challenge to delivering cloud-based services as a data processor or data controller is the unevenness in the legal regimes in use in the Caribbean region.

In Barbados and Jamaica, according to Sheehy, there is a specific requirement that data processors and controllers must be registered with the data protection commissioner in those countries.

While Cloud Carib primarily operates as a data processor, Sheehy notes, "We are not a data processor in every case.

"If we provide certain kinds of services, such as secure active directory services, identity and access management data key management, then we could be identified as a data controller.”

"If a cloud provider is acting as a data processor," Sheehy said, "the contracts that are required with the data controllers, the owners of the data, should become more descriptive and more detailed in a legal environment that is based on GDPR.”

"Companies need to understand that data protection is here and that they need to take appropriate steps to comply with the laws," said Maharaj.

"Start by understanding the laws in your jurisdiction. For companies that operate in multiple jurisdictions or cloud service businesses that are working with companies in different countries, understanding the specific nuances of each country's requirements is critical."

Fines for non-compliance under GDPR regimes can be staggering. Fines imposed under the EU's data protection laws can run up to four per cent of global profits.

For Google, in March 2020, that turned out to be a fine of seven million euros after the search engine and advertising company failed to purge data it could not prove it still required.

Fines in the region aren't on that scale, but there are penalties on the books that companies need to be aware of.

"There are liabilities for directors, there are liabilities for senior management," warned Maharaj.

"Regulators [in the Caribbean] are actively seeking guidance from the information commissioner's office in the UK, and from other regulators in the EU to find out what they need to do to be effective regulators.

"Regulators are moving away from a checkbox mentality, checking to see if documents are in place and requiring companies to actively demonstrate that they are complying with the law."

"Know your data," Maharaj advised, noting that the Jamaican Data Protection Act allows for imprisonment of directors as well as fines.

"You need to know what data you collect, how you collect it, the total lifecycle of the data, from collection, to use, to sharing, to transferring, to eventual deletion.

"You need to develop a record of processing activity (ROPA), which some regional data protection acts require."

Companies should commit to a continuous audit of agreements with third-party cloud service providers that emphasise a functional data retention policy which purges data that's no longer needed from databases and computer systems.

Sheehy advocated for greater co-ordination between Caribbean nations in their implementation of data protection strategy and called for Caricom to lead a legislative integrative effort to harmonise laws and create standard operating procedures in the region.

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there