Sorting the facts from the fiction

The General Data Protection Regulation (GDPR) has been garnering much attention in recent months, particularly as it comes into force on 25 May 2018. With the effective date fast approaching, there is growing misinformation emerging around the regulation in the Caribbean and if it goes unchecked, we risk losing sight of what this new law is about.

In this blog post, we’ll be busting the top 3 myths to sort the facts from the fiction, because we know that most Caribbean organisations want to get the GDPR right.

Myth #1: ‘We’re a Caribbean based company so the GDPR doesn’t apply to us’

Even if Caribbean-based companies have no physical presence in the EU, they can still be subject to the GDPR if they process an EU resident or visitor’s personal data in connection with goods or services offered to those individuals. Given the cross-border nature of offshore financial services and legal organisations with offices overseas, including in the EU, personal data will likely be subject to the GDPR.

Myth #2: ‘My data is stored with my cloud service provider so it’s not our responsibility to remain GDPR compliant’

Controllers and processors of data share responsibility for meeting GDPR requirements. Businesses utilising personal data for business purposes cannot pass the duties to their cloud or security provides that are processing or storing personal data on their behalf – the data controller still be held responsible for compliance with the GDPR.

Myth #3: ‘Our personal data is in the database so we are not subject to the GDPR’

GDPR applies to all data, meaning all collected data connected or associated with a person in the EU will be considered under GDPR protection based on the person’s name, ID number, or physiological, genetic, or other factors.


Polly Pickering, Managing Director at eShore Ltd, sums up her top points for GDPR regulation related to the processing and recording of personal data:

Information by design needs to be the new direction in all businesses. I relate it to ‘kaizen’ efficiency similar to what I used to work with in the automotive world, where you would agree quality standards before production. So, if there are mandates when onboarding client information at the start – in regards to security, access controls, retention, labeling and incorporating additional eDiscovery controls right at the onset – it will make the responsibility of data management less problematic.

Considering consequences in store in cases of non-compliance are quite substantial and these possible GDPR fines should be addressed in the boardroom for both emergency budget consideration and also brand impact and marketing/ public relations risks.

The GDPR articles state fines will be imposed which should be ‘effective, proportionate and dissuasive’ so contingent on the violation level the penalties from 2% up to 4% of the total worldwide annual turnover of a company will be imposed. This speaks volumes in respect to ‘impact’ to a company’s bottom-line.

Summing up, the GDPR should be front and center at every business level and this is not an IT only issue, or isolated to compliance or enterprise risk it affects every component of most businesses. Disregarding or miscalculating the importance of the regulation or pending deadlines could be disastrous.

Last but not least, reviewing the almost 100 page GDPR articles means appraising what information rights relate to your company but a review should also consider liability and duty. One responsibility tied in is consideration of announcements of IT attacks and data breaches. How and who and when you have to notify your regulatory authorities, clients and manage the breach should be again part of a good Business Continuity Plan (BCP) and ensure a proactive policy and training is present in the company’s overall philosophy.

As always, if you need a second set of eyes or not sure what else should be considered access to our team and our compliance and IT solution collection is complimentary, drop us a line on +1 (345) 946 3673 or email