By: Staff Writer
May 20, 2022
Data protection legislation is relatively weak in the Caribbean because it is missing key ingredients that protect users on both sides of the user interface.
Eamonn Sheehy, Cloud Carib’s director of public sector, speaking at a Cloud Carib sponsored webinar, pointed this out when he said that every country in the region needs to have a dedicated data protection officer as a point of call when data breaches occur in addition to being ahead of the curve and nipping suspicious activity in the bud.
He also noted that there must be fines for breaches of any data policy or legislation to the point where it causes individuals to change the way they conduct themselves with their clients.
Cloud Carib has been preparing for the emergence of this type of legal environment for “years” now Sheehy pointed out as they saw the World Wide Web continuing to be exploited by actors with a voracious appetite for data. “We’ve done that by providing details at the service level, getting certain nationally recognized standards and recognizing the need to implement industry best practices,” Sheehy said.
The European Union’s General Data Protection Regulation (GDPR) principles are vitally important in this exercise and all actors should be encouraged to implement them in their data protection regime.
Following the GDPR guidelines can lead to misconceptions of what these principles all entail, when and why.
Rishi Maharaj, managing director and principal consultant at Privacy Advisory Services, said about these misconceptions that one of these conceptions that people and companies have is that they believe they need consent every time they provide someone’s data.
“Now consent is important and consent is also relevant. All data protection laws speak to the notion of consent, but consent isn’t the only reason or the only legal basis that you can use to process data,” Mr Maharaj said.
Prior to 2010, only four Caribbean and Latin American territories implemented comprehensive data protection laws with The Bahamas and Trinidad & Tobago leading the way in that regard. Over the past decade, however, that list has grown to include countries like Barbados, Jamaica and 13 other territories –each iteration of which uses the EU’s GDPR as a model.
Latin America’s focus on data protection has come partially in response to international reports of sophisticated cyberattacks which have targeted Caribbean based companies. In the past two months alone, regionally based companies like the Massy Group and Aeropost have fallen victim to breaches that resulted in the leak of sensitive customer data. According to Maharaj, this trend is likely to continue making it even more important for organizations across the Caribbean to take their data protection strategies more seriously.
Mr Maharaj also said that under the GDPR based laws that are in the Caribbean that there are several legal means by which people can summons data. One is where you can enter into a contract with someone and data and information have to be exchanged. Secondly, many companies have “legal obligations” to collect data for example, companies that fall under the ambit of anti-terrorism laws and other money laundering laws in their daily business operations.
He added: “If there is a legal requirement to collect certain data then you don’t need to get consent. Also if you are in the public service or you’re operating in a public sphere and you need to procure public goods for someone you don’t need to collect consent.”
“I truly think we have the opportunity to create real legislative synergy by establishing a standard operating procedure to govern all organizations operating within the region much like the General Data Protection Regulations (GDPR) covers the UK and European Union,” noted Maharaj, whom himself has had previous experience in crafting the 2011 legislation enacted by the government of Trinidad & Tobago.
He also warned however it is not a free-for-all by any stretch of the imagination and is the reason why data protection laws are becoming more prevalent in the region. He noted that people using Cloud services like Cloud Carib typically don’t need consent, but they have to “play in certain legal lines” in order to ensure the integrity of the data and information being stores. “You need to have data sharing agreements,” primarily if your Cloud service provider will be storing your data out of your country of operation as well as a “data processing agreement,” Mr Maharaj said.
As the Caribbean continues to develop in technological maturity, data protection will continue to be at the forefront of the conversation. “It is our hope that educational events like this will help the security posture of island nations,” said Cloud Carib Marketing Director Olivia Dorsett. To learn more, a recording of the event is available on the company’s YouTube Channel or visit their social media pages.