ICA Regional Spotlight: The Caribbean

By Gary Duncan, 2 September 2024

The Caribbean comprises multiple countries and territories, each with its own data privacy laws. At the same time, several countries in the region are required to comply with the EU General Data Protection Regulation (GDPR).

A recent ICA Member Webinar, hosted by Heather Wurster, Global Lead, Customer Due Diligence at the ICA, discussed the challenges for organisations operating in the region and provided practical guidance on how they can establish effective data privacy strategies and frameworks. Wurster was joined by Alexander McD White, Privacy Commissioner for Bermuda; Rishi Maharaj, Managing Director and Principal Consultant, Privacy Advisory Services; and Joe Jones, Research and Insights Director, IAPP.

Recent developments

Maharaj began by saying that data privacy and protection isn’t new in the Caribbean, but that it has taken off in the past few years, especially post COVID-19. Trinidad and Tobago started work on its data protection laws in 2008/9, predating the GDPR, and a number of countries in the region, including the Bahamas, Barbados, Jamaica and Bermuda, have either introduced new legislation or amended existing laws.

The GDPR is one of the biggest drivers. Most Caribbean countries have trade agreements with the EU and the UK, and many have contextualised the GDPR for their own needs. ‘The good thing about most of these laws is that they’re based around the GDPR,’ Maharaj said. ‘Not exactly in a copy-and-paste approach, as each company, each country has looked at the GDPR and amended the laws to suit their particular area.’

Another driver has been the focus, post-COVID, on the digital transformation of government services and the efforts to create frameworks to protect individuals’ privacy and data protection rights.

Jones said what’s happening in the Caribbean is also happening around the world, and it’s not just related to the GDPR. Other factors have forced countries to tackle issues such as data use and collection, the trade-offs between data protection and data utilisation, and the geopolitics of data – not only as it relates to individuals and human rights, but in terms of production and as a strategic asset to boost economic recovery.

The conversation is now shifting to how data privacy and protection overlaps with other regulatory domains. Jones cited the rapid development of AI technologies and regulations, and the intersection of cybersecurity in content moderation, platform liability and online safety. ‘All these technologies relating to the use – and potentially the misuse – of data raise questions about the efficacy of privacy and data protection,’ he said.

Old World or New World?

Wurster asked the panellists where the digital world, driven by data and human rights, might be heading, and what that means for privacy regulations. 

‘Data is in everything,’ White said. ‘Everything we do now has become digitised, has become some form of quantification of statistics, and we have to think about how this impacts so many different aspects of our lives.’

He said there are two schools of thought, separated by the Atlantic. ‘On the European side, we’ve got this critical importance of respect for human rights and specifically the right to privacy, and everything is looked at through the lens of whether it’s a violation of, or enabling, that human right. In North America, the stereotypical way of looking at things is that this is a consumer issue. This is all about how business operates, about the free market exercising itself.’

For many jurisdictions in the Caribbean, it’s a choice between the Old World or the New. For White, that’s a false dichotomy: ‘Instead of picking a side, we should try to take the best of both worlds. And that means being flexible and at times it means we have to embrace a sense of uncertainty as we work through these novel issues.’

It’s often about finding a middle path – something White calls ‘mid-Atlantic privacy’. It’s not about business or privacy, individuals or innovation, prosperity or rights, he added: ‘We need to reject that, or we need to say this is not a zero-sum game. We need to focus on how we can embrace privacy and business success, innovation and individual rights.’

‘How can we reduce risk?’

White emphasised the link between rights and business success. ‘We talk about the moral imperative of implementing a privacy programme,’ he said, ‘but doing so also has a strong business imperative which helps the business become more efficient and mature, how it operates, how it stores its data and how it narrowly tailors its goals to reduce the risk of harm to people and help the organisation.’

Compliance officers should be encouraged to think in a risk context, he said. Understanding how to reduce that risk could be the ‘Rosetta Stone’ for different jurisdictions because risk, in many ways, is universal.

Different jurisdictions do have different regulations and processes, he said, but risk analysis or risk mitigation in one jurisdiction will often be the same as in others. ‘That gives us the opportunity to speak a common language to help businesses that want to operate either throughout the Caribbean or globally,’ White said.

The privacy function’s evolving role

Maharaj said the privacy function is already changing due to the growing focus on data privacy and protection, but that there is still a lot of misunderstanding of what data protection means. Many organisations think it means they can’t do certain things they would normally do, he said, so there needs to be more communication and training to raise awareness.

It doesn’t mean you can’t do business as usual, he said. ‘It’s a differentiator and it could be a differentiator in the way we do business, in the way we retain customers or bring in customers,’ he said. ‘It’s a good differentiator if we want to expand our markets beyond the region to other parts of the world that may have similar laws.’

The privacy or data officer role will differ by organisation. In many organisations, there may not even be a dedicated compliance function. ‘For some organisations the only personal information that’s even used is human resources information,’ White said, ‘so that would be the natural place for this type of compliance function to sit.’

‘Culture eats strategy for lunch’

Jones said it will take time to raise data privacy awareness and literacy. ‘Cultures are not built overnight,’ he said, ‘and organisations are not sitting on stockpiles of cash, ready to spend on what they might perceive to be something related to regulatory risk and compliance.’

As companies try to do more with less, he said, ‘Investing in compliance leads and data protection privacy can seem, and I don’t agree with this, like a bit of a regulatory compliance backwater. It’s not.’

Maharaj said it’s all about culture. ‘There’s a famous saying, that culture eats strategy for lunch,’ he said. ‘You can have the best strategic plan and the best systems in place, but if your culture isn’t there, then you’re probably going to be in trouble one way or the other. Culture takes a while. It’s a slow-moving train.’

Data protection is not a death sentence, he said: ‘It can actually enhance your organisation. If done properly, it can enhance your profitability, your return on investments. It can engender a sense of trust with your key stakeholders.’