The Tribune

Bahamian compliance officers met for a half-day seminar to discuss how new European data protection rules will impact the sourcing and safeguarding of client information.

The European Union's General Data Protection Regulation (GDPR), which came into effect last May, sets rules for how a company collects, uses, retains and discloses personal information on citizens or individuals residing in any of its 28 EU member states.

As an international financial and business centre that has a significant number of European clients, the GDPR's implementation has implications for Bahamas-based banks, insurance companies, investment firms, health services providers and any entity/industry that holds clients' personal data.

"We wanted members of the Bahamas Association of Compliance Officers (BACO) to have a clear understanding of GDPR and its potential to impact the way they do business. Non-compliance could lead to heavy fines and penalties," said BACO's president, Cheryl Bazard.

She, together with The Bahamas' data protection commissioner, Michael Wright, presented to the seminar last Wednesday. Although the GDPR is designed to protect data privacy for EU citizens, the Internet has no borders. This means Bahamian businesses with an online presence may need to upgrade their digital properties with regards to how personal information is collected and processed - on and offline.

In setting global data protection standards, GDPR dictates companies need EU citizens' express, informed consent to collect data from them. And individuals should only be required to share data that is directly related to accessing the functions a business provide.

"GDPR now introduces a data protection officer (DPO). There is an independence from compliance," Mrs Bazard explained. "Compliance must now work with the DPO, specifically in marketing as they send out ads and information to customers….Furthermore, boiler plate wording in employment contracts and customer terms may not be sufficient."

She added that EU residents have the "right to be forgotten". They can request their information and personal data be deleted.

In the event of a data breach, GDPR mandates that a company's data controller report any instance where data is not only stolen but changed, lost or accidentally disclosed within 72 hours of discovery, said Mrs Bazard.

"That means identifying and reinforcing every point in the network where there could be a possible breach; using artificial intelligence technology to reinforce points of vulnerability, monitoring for possible cyber-attacks and having the proper protocols in place if a breach does take place," said BACO's president.

Mr Wright added: "Know where personal data is held, where it came from, who has access, what it is being used for, what is the lawful basis for that processing, and how its use is controlled."

He suggested expanding consent notices online and in brochures; explaining the option to opt out of future marketing when data might be collected; bringing an end to pre-ticked boxes and bundled consents; and ensuring customers are aware of their right to demand full details of the information held on them.

The data protection commissioner said other measures may need to be taken in order to achieve GDPR compliance. These include conducting a full data audit, reviewing data collection forms and privacy notices, and re-examining processes and systems used to deal with data subjects' rights.

The latter will include new rights in relation to erasing data, data portability and use of profiling, along with supplier arrangements with third parties such as hoteliers and airlines.

"We are being made more accountable now than ever before to protect individuals' personal data. Simply visiting a website no longer implies consent for harvesting data or third-party distribution of the data collected while a person is browsing," said Mrs Bazard.

"As compliance officers its vital for our members to be abreast of global regulations so that as a jurisdiction we can be in full and proper compliance."