On March 31, 2021, the long-awaited Barbados Data Protection Act (BDPA) became a reality, joining the burgeoning ranks of data protection and privacy acts that have bloomed into existence since the EU's General Data Privacy Regulation (GDPR) of 2016. Not all aspects of Barbados' new Act have been made operational - namely the listing of approved data collectors and processors - but there is enough meat on the Act that businesses who haven't done so yet will want to get their affairs in order quickly.
Yet, how can they? After a tough 2 years dealing with pandemics, worldwide shipping and manufacturing bottlenecks and the spectre of runaway inflation as gas prices soar, micro, small and medium enterprises (MSMEs) have little to no ability to comply with the Act, or its fines. Even before 2020, many local businesses had no clue how to respond to GDPR and this lack of a clear roadmap continues with the BDPA. If I were running a business right now, I'd be mired in frustration trying to figure this out on my own.
Hint: I am running a micro business and I have cried out in frustration. I'm slowly coming through the other side, though and I want to share some of my findings with my fellow MSMEs.
Engage your cores and breathe deeply; let's see what we can do.
Consider your market - internally and externally.
One of the quickest ways to sort out how much the BDPA affects you is to know who you provide your goods and services to directly.
Roughly categorised, if your MSME sells directly to businesses (B2B), such as an office cleaning agency, you have to focus more on internal factors such as past employee or interviewee information.
If your business sells directly to consumers (B2C), like a membership gym, you have increased exposure and need to examine how you acquire lead data and market to past customers, as well as how you respect their wishes for lack of contact or requests for details on their accounts.
Business sectors that hold the most sensitive information - financial institutions, lawyers, private doctors and dentists - already face the highest requirements for customer privacy.
Perform an information assessment
You need to know what information you currently have before you can determine if you have a potential issue.
For example, if you run a small mini-mart, your information may consist of receipts for purchases, entry forms for past and current contests, emailed or online shopping lists to be fulfilled...and security video footage. Or website logs. Or Facebook/WhatsApp messages.
Think big. You might be surprised what information you have in your desks and devices.
Only keep what you need
Once you know what information you have, only keep what you need.
This is the point at which you may need to talk to a lawyer knowledgeable in the BDPA and other commercial laws to confirm data retention guidelines based on your industry. Great sources on island include Bartlett Morgan and Shari-Ann Walker.
Ensure your clients consent and understand
B2C businesses need to ensure that their customers understand and consent to the collection and use of their data. Methods for ensuring consent include the ubiquitous sign warning of security cameras in use and retention of ID numbers for cheques; the increasingly annoying 'cookie' banners on websites and signature of contracts for service with included clauses on the collection, use and storage of client data.
This shouldn't only be done for new clients - past and regular customers should be alerted as well, given that their needs may change. Much like the 'Know Your Customer' process for financial institutions, consider educating your clients on how you use their data and gaining their informed consent on an annual basis. Better yet, chat with a certified privacy professional like Rishi Maharaj of equigov.com.
Look for cloud solutions
Like most MSMEs, I don't have a IT person to rely on, nor a privacy officer on call. These people spend a lot of time to get their skills and deserve their pay - but most MSMEs just don't have the ability to give them their due at this time.
This is where cloud services have proven helpful. Zoom, Google Workspace and Microsoft Teams exist at low rates for less than 10 users. You can also share the service's policies and terms of service with clients, which might save you time and money crafting your own.
Plus, the big cloud software providers save you the effort of finding scarce IT resources (have you heard about this computer chip shortage?) and IT professionals to keep your
company and client data accessible and safe.
Until your electricity goes out, but that's another article for another day. Stay tuned!