Implications of EU data protection rules for Caribbean businesses


Tuesday, September 18, 2018

Print this page Email A Friend!

MAY 25, 2018 should be highlighted as a most important day in history — new day dawned to welcome the implementation of the new European Union Data Protection Regulation. Some may say that the giants have been forced to yield, but whether they have surrendered is of little importance; what is absolutely undeniable is that all over the Internet world data protection and privacy were being echoed and promoted in an unprecedented manner on this fateful day.

But on this occasion the orchestra was not being led by the policymakers and legislators, but by the Goliaths within the digital space. E-mail and notifications from private corporations flooded inboxes, and pop-ups were inserted on many websites in salutation to the new EU General Data Protection Regulation which came into effect on this day.

The rules were always promised to be far-reaching. With its much-anticipated arrival, companies all over the world issued notices explaining how and for what purpose personal information of their clients is processed. May 25, 2018 will be remembered as a day when online sites for some popular newspapers were inaccessible in EU member states; a day when many issued new data protection policies.

So far, the actions of social media giants, search engines and online newspapers have all demonstrated that the technological world over has paused in honour and respect for the new data protection regime. Some may argue that the driving force is one greater than honour — a fear fuelled by the heavy fines and sanctions promised by the new rules. You may ask what has prompted the development of such rules to govern the management of personal information by data controller.

Personal data drives the new economy

In pursuit of their internal goals, both private companies and public authorities now make use of the personal information of their clients on an unprecedented scale. This personal information includes any information that can be used to identify a living person such as name, age, e-mail addresses, credit card numbers, and tax registration numbers. This list is not exhaustive, as it also includes DNA, fingerprints, biological data, etc.

Most importantly, technology has resulted in an increase in the processing of personal information and an increase in the vulnerability of the data subjects. This very fact is noted within the new rules, which state that both technological developments and globalisation have brought new challenges for the protection of personal information. The rules announce forcefully that the processing of personal information should be designed to serve mankind and, importantly, that the protection of natural people in relation to the processing of their personal information is a fundamental right.

The new rights

An entity must now obtain the consent of the individual before they can process their personal information. It is this requirement for consent that has caused e-mail inboxes to be filled with requests for permission to process personal data.

The individual also has the right to know what personal information is being processed by private and public bodies; the right to have this data rectified, and to even have the data erased, ie 'The right to be forgotten'. Our Data Protection Bill 2017 in Jamaica is also expected to codify such rights consistently with the new EU data rules.

Who is affected?

These EU rules are applicable to any organisation that processes the personal information of EU citizens, whether located in the EU or outside of the EU. Where any organisation processes the personal information of citizens of any EU member state for the purpose of offering goods and services, they must abide by the new rules or there is likelihood of facing heavy fines of up to 20,000 EUR or four per cent of the worldwide annual turnover. This may have implications for territories within our region which offer services in the tourism and other sectors to natives of the EU. Consequently, the region should also acknowledge the implications of these new rules concerning data protection and privacy and seek to pass legislation consistent with the new data protection and privacy regime.

Andrea Martin-Swaby is head, Cybercrime Unit, and deputy director of public prosecutions.

Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at




1. We welcome reader comments on the top stories of the day. Some comments may be republished on the website or in the newspaper � email addresses will not be published.

2. Please understand that comments are moderated and it is not always possible to publish all that have been submitted. We will, however, try to publish comments that are representative of all received.

3. We ask that comments are civil and free of libellous or hateful material. Also please stick to the topic under discussion.

4. Please do not write in block capitals since this makes your comment hard to read.

5. Please don't use the comments to advertise. However, our advertising department can be more than accommodating if emailed:

6. If readers wish to report offensive comments, suggest a correction or share a story then please email:

7. Lastly, read our Terms and Conditions and Privacy Policy

comments powered by Disqus



Today's Cartoon

Click image to view full size editorial cartoon