The Tribune

A Bahamian information manager has warned that local firms could be exposed to hefty financial penalties if they fail to comply with impending European data protection rules.

Chris Sawyer, pictured, Sunryse Information Management's president, warned that Bahamian companies doing business with entities falling under the European Union's (EU) General Data Protection Regulation (GDPR) regime could be impacted when it comes into affect on May 25.

He added that companies failing to comply with specific data collection guidelines, as outlined in the GDPR regulations, while conducting business with EU companies could be exposed to fines of up to 20 million euros or four per cent of their annual revenue.

"How companies collect, store and eventually destroy data from agencies or organisations in the EU member states will be further scrutinised once the new GDPR regulations come into effect this month," Mr Sawyer explained.

"Businesses in The Bahamas must look at their overall process and have a handle on what personal information is being gathered from clients, be that names, e-mail addresses, credit card details, banking information, insurance details or any other personal details specific to that individual."

He added: "There also has to be a clear understanding of the chain of command as the data moves from the customer through various channels within your organisation.

"Once collected, it is also important to determine how a company manages the information now in its possession. Careful consideration should be given to obtaining consent from clients when passing client data between entities."

Mr Sawyer started Sunryse Information Management 18 years ago, with the goal of helping companies properly dispose of confidential information through shredding. Since then, the data management company has expanded its services to include secure storage of physical client files, and also digitising client documents for companies seeking to store and manage information digitally.

For firms in The Bahamas, conducting business with EU clients or customers where there is any exchange of goods or services - or if the company is monitoring the behaviour of persons based in the EU - the responsibility for compliance ultimately rest with the business gathering the information.

The first step towards determining compliance is to become knowledgeable about the new regulations. Sunryse said it is urging its own clients to evaluate their current data collection and retention policies.

Under the new regulations, individuals have the right to access and review their personal data. The company collecting the information must correct all inaccuracies and erase any information that an individual requests to be removed or redacted. Individuals can also object to being solicited through direct marketing based on information collected, and have the right to move data collected to another entity.

With this in mind, Bahamian companies impacted by the new GDPR regulations must determine how they will organise and store information in a way where it is secure and can be easily provided upon the request of a client or a consumer.

Finally, Sunryse is encouraging companies to put a comprehensive plan in place to manage data throughout its complete lifecycle - from collection, retention and destruction of records on client request. Having automated processes with built-in restrictions in place further protects client data and reduces the chances of companies becoming non-compliant.