Independent advisory across the lifecycle of data and digital risk in the Caribbean.
DPMAS works across four connected pillars — Data Protection Officer cover, compliance implementation under the Data Protection Act 2019-29, cybersecurity advisory, and AI governance and readiness. Each pillar opens with a scoping conversation. Pricing follows scope, not the inverse.
DPO-as-a-Service is outsourced Data Protection Officer cover under the Barbados Data Protection Act 2019-29. A serving practitioner takes statutory accountability for the controller's privacy posture — board reporting, regulator interface, breach response coordination, and oversight of DPIAs and records of processing — without the controller adding a full-time role to headcount.
It is built for Caribbean financial institutions, credit unions, regional insurers, healthcare providers, and government bodies that need the role done by a working DPO, not by an internal staff member fitting it around another job. Engagement begins with a scoping conversation. A monthly retainer follows; scope determines fee.
Enquire about the retainer →Implementation work on the Data Protection Act 2019-29 — Data Protection Impact Assessments, records of processing, breach-response playbooks, and the policy infrastructure that lets a controller demonstrate accountability when the Commissioner asks. The work is calibrated to the Barbados Act and the Commissioner's published guidance, not copied from GDPR or CCPA templates. Engagement begins with a scoped review or a specific deliverable — most often a DPIA for a named processing activity, or a compliance gap assessment against the Act.
Board-level security posture, vendor and third-party risk, and incident readiness — calibrated to the threat surface a Caribbean organisation actually faces, not an enterprise framework imported wholesale. The work suits boards that want an independent read on their cyber posture before something happens, organisations responding to insurer or regulator pressure on third-party risk, and smaller institutions that need a credible posture without the cost of a full security operations centre. Engagement begins with a scoped posture review.
Structured oversight for organisations preparing to deploy AI — governance before procurement, data-flow mapping, and the risk artefacts that survive procurement scrutiny and audit. The premise is that sovereign AI deployment requires the controller to have its governance position before signing the vendor contract, not after. The work suits government agencies and regulated enterprises preparing for AI procurement, boards that have been told to "have an AI policy" and don't know where to start, and organisations with a vendor proposal in front of them that need an independent governance read before they sign. Engagement begins with the DPMAS AI Readiness Assessment.
Each path opens with a conversation. Pricing follows scope, not the inverse. Project work runs to fixed scope and fixed fee; retainer work runs monthly.
Go to Engage →