CASTRIES, St Lucia — The Caribbean Association of Banks urges Caribbean-based entities that interact with data on European Union (EU) citizens to implement the necessary systems and processes for compliance with the EU’s General Data Protection Regulation (GDPR). All entities that interact, in any way, with EU persons or their data, including (but not limited to) hotels, financial institutions, hospitals, airlines and professional services firms should be assessing whether GDPR applies to them.
GDPR is a comprehensive data privacy law that applies to businesses handling personal data of EU individuals, regardless of the businesses’ location or the occurrence of a transaction. GDPR covers all personal data such as emails, telephone details, ID cards, passport information, website cookies, etc., and this list is non-exhaustive. Entities are expected to be compliant with GDPR by May 25, 2018. Failure to comply has far reaching implications for entities and their business operations.
It is important to note that, if an entity does not comply with GDPR and its requirements, they expose themselves to significant penalties and fines.
If an entity is in breach of highly important data the resultant fines are:
• Up to 4% of its global gross turnover or,
• EUR 20 million (US$24.8 million)
If an entity is in breach of any other data the resultant fines are:
Up to 2% of its global gross turnover or,
EUR 10 million (US$12.4 million)
According to a Deloitte GDPR Benchmarking Survey only 15% of organizations surveyed expect to be fully compliant by May 2018, with many scrambling to implement appropriate measures.
The CAB strongly recommends that Caribbean financial institutions and other entities that interact with EU-citizen data assess their responsibilities under GDPR and put the necessary systems in place to avoid the negative consequences of non-compliance with GDPR.