THE Caribbean Association of Banks urges Caribbean-based entities, that interact with data on European Union (EU) citizens, to implement the necessary systems and processes for compliance with the EU’s General Data Protection Regulation (GDPR).
All entities that interact, in any way, with EU persons or their data including (but not limited to) hotels, financial institutions, hospitals, airlines and professional services firms should be assessing whether GDPR applies to them.
GDPR is a comprehensive data privacy law that applies to businesses handling personal data of EU individuals, regardless of the businesses’ location or the occurrence of a transaction.
GDPR covers all personal data such as emails, telephone details, ID cards, passport information, website cookies, etc., and this list is non-exhaustive. Entities are expected to be compliant with GDPR by May 25th, 2018.
Failure to comply has far reaching implications for entities and their business operations.
It is important to note that, if an entity does not comply with GDPR and its requirements, they expose themselves to significant penalties and fines.
If an entity is in breach of highly important data, the resultant fines are: Up to 4% of their global gross turnover; or EUR 20 million or US$24.8 million. (This relates tto infringements including: Rights of the data subject; the basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data; and transfer of personal data to a recipient in a third country or an international organization. )
If an entity is in breach of any other data the resultant fines are: Up to 2% of their global gross turnover or, EUR 10 million or US $12.4 million. (This relates to infringements including: Records of processing activities; Security of processing data; Notification of a personal data breach to the supervisory authority; Communication of a personal data breach to the data subject; and Certification.)
According to a Deloitte GDPR Benchmarking Survey only 15%, of organizations surveyed expect to be fully compliant by May 2018, with many scrambling to implement appropriate measures.
The CAB strongly recommends that Caribbean financial institutions and other entities that interact with EU-Citizen Data, assess their responsibilities under GDPR and put the necessary systems in place to avoid the negative consequences of non-compliance with GDPR.