For regional business heads, the GDPR phenomenon has been a new risk item that is looming on the horizon. For most it is not perceived as an immediate risk issue, but we know that will soon be yet another compliance item in our audits and in our governance reporting requirements.
As is usual with these new regulations, there is a lot of data available online (most relevant primarily to the EU, not necessarily regional entities). Fortunately, there has been a fair number of regional parties sharing their perspectives, but often key decision making points are left unanswered.
Can a Caribbean Company be exempt from GDPR?
The regulation requirements state that any Caribbean organization, whether it’s quasi-government, private or non-profit, that works with European citizen data may be subject to GDPR regulations.The GDPR makes an exception for organisations with fewer than 250 employees provided that it’s data-processing does not impact the rights and freedoms of data subjects, is occasional, or does not include certain types of sensitive personal data.
So, in summary if your organization is sure that it does not work with EU citizen data, then GDPR will not apply. If the organization does but has less than 250 employees, then it may be exempt, but this must be validated via a formal assessment. Thinking that you are exempt does not make its so.
What is the risk of being found to be non-compliant?
“European data protection agencies have issued fines totaling 56 million for GDPR breaches since it was enforced last May. For more than 200,000 reported cases, but watchdogs have said that they’re just starting to warm up.” Theregister.co.uk
There are still many Global organizations, that are unaware that GDPR affects them and could face hefty fines if the data protection rules aren’t applied. Regionally, Dutch, French and British territories are behind in being GDPR ready. So outside of the EU compliance is less prevalent, but gradually growing.
The penalties for non-compliance can result in GDPRfines of up to 4% of annual global revenue or €20 million, whichever is highest. Note that this says all revenue not just EU generated revenue. This of course is a broad brush statement, and details will vary by country and company.
A possible scenario
Above we highlighted the statement ‘sure that your company does not work with EU citizen data’. Business heads must remember that this covers B2C and B2B relations. Here is a possible example
A regional bank receives monthly pension payments from an EU company, for one of its customers. The EU company will need to be GDPR compliant and it would also need to ensure that the local bank is compliant. To do so it would conduct a due diligence exercise with the local bank to assure its compliance, but it would ultimately be up to the bank to ensure compliance.
A few months later a data breech at the local bank discloses the EU customer’s data. Once the EU company can prove that due diligence was followed, then the local bank could be deemed accountable, and possibly penalized.
A lot of companies don’t realize this. This is what makes the GDPR such a powerful regulation – it doesn’t have borders and some businesses can end up in very hot water when they don’t think it applies to them.
Other scenarios – local citizens with dual citizenship & tourist visitor data,
What to do next
Unless your company is certain that it does not process EU citizen data, an assessment of risk should to be done. There are many guides online that can help guide this assessment, but the process needs time and effort. Practitioners needs to know/learn the company business and data stores, know the GDPR requirements (Right to be forgotten, Right to portability, Right to access, Right to object and Right to opt out), know the assessment process itself, and finally be able to do valid justifications for any exemptions.
CipherQuest offers regional clients expert services in all things GDPR, tailored for our regional business and regional budgets. An early start means more time for remediation and more manageable demands on limited resources.