You must follow certain rules if your business stores or uses personal information, whether that relates to your customers or your staff. The Data Protection Act, 2019 is the main body of law that governs data protection in Barbados, and enforces many of the same standards and obligations found in other jurisdictions, particularly the European Union and the United Kingdom.
Concepts under data protection law
You may hear terms that you've not heard before, such as data controller and data subject. It is important to familiarise yourself with these expressions and their meaning, as it will aid you in understanding your obligations under the Act.
Data controller
This refers to any person who determines the purposes for which, or the manner in which, personal data is or should be processed.
Please note this also includes persons who process personal data solely for the purpose of complying with any law in force.
Example: If you collect personal data, you are a data controller.
Data processor
This refers to any person who processes personal data on behalf of a data controller.
Please note this does not include an employee of a data controller.
Example: If you store or analyse personal data, you are a data processor.
Personal data
This refers to any data whatsoever that relates to a natural person who can be identified from it, or that data together with other information which is in the possession of, or is likely to come into the possession of, a data controller.
Data subject
This refers to any natural person who is the subject of personal data.
When the Act comes into force
The Data Protection Act, 2019 is already in force as of March 31st, 2021 except for the provisions relating to the registration of data controllers and data processors, that is to say:
(i) Section 50: Data controllers must be registered
(ii) Section 51: Register of Data Controllers
(iii) Section 52: Notification of changes in respect of a data controller
(iv) Section 55: Data processors must be registered
(v) Section 56: Register of Data Processors
(vi) Section 57: Notification of changes in respect of a data processor
Data protection authority
In Barbados, data protection law is enforced by the Data Protection Commission of the Ministry of Industry, Innovation, Science & Technology.
On July 15th, 2021, Ms. Lisa Greaves was appointed Data Protection Commissioner with responsibility for overseeing the work of the Commission.
Frequently asked questions
To report a breach of the Data Protection Act, 2019, please e-mail the Data Protection Commissioner:
lisa.greaves@barbados.gov.bb
If you wish to send your report by post, please address it to:
Data Protection Commission
Ministry of Industry, Innovation, Science & Technology
5th Floor, SSA Building
Vaucluse
St. Thomas
Barbados
West Indies
Note: If you are a data controller, you must within 72 hours after becoming aware of a personal data breach, report it to the Commission if the breach is likely to result in a risk to the rights and freedoms of an individual. Failure of a data controller to report a notifiable breach before the deadline may constitute an offence. When notifying the Commission of a personal data breach, you must provide reasons to the Commission if you did not report it within 72 hours after becoming aware of it.
