In light of several high-profile data breaches recently reported by regional businesses, it is essential to re-emphasise or enlighten those who may be unaware of their rights as data subjects, particularly when companies hold their personally identifiable information. Even with Barbados’ Data Protection Act 2019 in place, a concerning number of companies still fall short in fulfilling their compliance and responsibility mandates under this law.
This shortfall is evident in basic aspects such as websites failing to clearly articulate their privacy policies, or customer application forms not outlining their data protection policies or adequately disclosing the data rights of their customers. This gap in compliance not only exposes these businesses to risks but also jeopardises the security of their data subjects.
Since the Data Protection Act went into force on March 31, 2021, there has been an intensified focus on cybersecurity, a key compliance element of the Act. However, complying with the Data Protection Act is about much more than just cybersecurity.
The main objective of the Data Protection Act is to establish a strong and effective system dedicated to safeguarding personal data in Barbados. It aims to protect the privacy and security of an individual’s personal information, regulating how it is collected, processed, stored, and shared.
The Act aligns with international data protection standards and provides clear guidelines for both individuals and organisations, promoting the responsible handling of personal information. It defines specific rights for data subjects as well as obligations for data controllers and processors. The aim is to balance the privacy rights of individuals with the operational needs of businesses and organisations.
Let’s delve into the key rights it upholds. Here are the six most important ones:
1. The Right to be Informed: Data subjects are entitled to know how their personal data is being collected and used, including rectification of personal data as well as erasure of personal data.
2. The Right of Access: Individuals have the privilege of accessing their personal data and any supplementary information held about them.
3. The Right to Rectification: Data subjects can have any inaccurate personal data corrected or completed if it’s incomplete.
4. The Right to Erasure: Commonly referred to as the ‘right to be forgotten’, this allows individuals to request the deletion of their personal data.
5. The Right to Restrict Processing: In specific scenarios, data subjects have the option to limit or stop the processing of their personal data.
6. The Right to Data Portability: This grants individuals the ability to transfer and reuse their personal data for their own purposes across various services.
In the current landscape, citizens must be vigilant when interacting with companies that collect their personal data. Understanding your rights and the obligations of these corporate entities is key.
First and foremost, it is illegal for companies to collect personal data from individuals without their consent. This consent can be expressed in various ways, such as ticking a box to indicate agreement or signing a document to acknowledge acceptance of terms and conditions.
When engaging with such companies, consider the following principles outlined in the Data Protection Act:
1. Purpose Limitation: Ensure that the company clearly states the specific purpose for collecting your personal data. This data should only be used for the purpose you consented to. Any use beyond this, without your explicit communication and consent, violates the principle of purpose limitation.
2. Storage Limitation: Be aware that your personal data should only be retained for as long as is necessary for the agreed-upon purpose. For example, if your data is collected for a specific event like a lottery, it should be deleted once the event concludes. Companies failing to do this not only breach the Act but also risk damaging their trustworthiness.
3. Lawfulness, Fairness, and Transparency: Companies are required to fully disclose why they are collecting your personal data. They should inform you about the specific purposes for which your data is being collected and stored, including any potential future uses. Incomplete or vague disclosures can result in a breach of this principle, making the company’s data processing practices both unlawful and unfair.
As a citizen, being informed about the Data Protection Act is crucial. It not only empowers you to understand and exercise your rights regarding personal data, such as access, rectification, erasure, and restriction of processing, but also equips you to identify and challenge any misuse or mishandling of your data by organisations. This knowledge is essential for safeguarding your personal information and ensuring your privacy is respected in today’s digital landscape.
Written for Barbados Today See Article