What happened?
The Government of Barbados has appointed Ms. Lisa Greaves as the country’s first Data Protection Commissioner. The official notice in last month’s Gazette indicates that Ms. Greaves’ appointment to the post is effective from July 15, 2021 and comes a few months after the Government brought the majority of the Barbados Data Protection Act (“BDPA“) into force.
As the de-facto enforcer of the BDPA, the new Commissioner will be responsible for a gamut of activities that broadly encompass:
- sensitising members of the public about their privacy-related rights and obligations;
- ensuring compliance with the BDPA’s requirements (issuing notices, auditing privacy compliance efforts, investigating breaches, operating a registry etc); and
- tracking and advising on privacy-related developments.
Commissioner Greaves will also have duties pursuant to the Barbados Identity Management Act (“BIM Act“). In this regard, decisions of the Electoral and Boundaries Commission, made pursuant to the BIM Act, will be appealable to her.
Next steps
A cursory review of both the BDPA and the BIM Act confirm that Commissioner Greaves has a lot of ground to cover.
For her part, Commissioner Greaves has not yet indicated what her list of priorities for the short-medium term will be. One imagines, however, that the next big-ticket items for her office may well include:
- staffing/resourcing;
- sensitising the public about their rights (and members of the business community about their obligations);
- the promulgation of regulations to clarify procedural steps for complying with the BDPA’s obligations; and
- the establishment of a registry to record details of both controllers and processors.
Implications for business
After the BDPA was brought into force earlier this year, the business community operated in a compliance grey area. Though the BDPA had live obligations to be complied with since March, there was no regulator to enforce the act’s provisions or provide guidance on compliance.
The appointment of Commissioner Greaves changes this. The spectre of administrative fines and enforcement notices being issued now means that businesses that fall within the BDPA’s ambit must begin to seriously come to terms with their various compliance obligations.
If your business makes use of personal information and (i) does so from within Barbados or (ii) targets persons in Barbados with its product offerings, the BDPA probably applies to your operations. If this is the case, you may wish to consider taking some basic steps towards compliance.