Compliance Tips for new GDPR Regulations

On May 25th, 2018, the European Union (EU) will implement its General Data Protection Regulation (GDPR) in all member states. While the new regulations will directly impact EU countries, implementation could also affect Bahamas-based organizations conducting business with entities falling under the arc of the regulations. 

Local companies failing to comply with specific data collection guidelines as outlined in the GDPR regulations while engaging with EU companies could be subject to face stiff fines of up to €20 million or 4% of their annual revenue.  

“How companies collect, store and eventually destroy data from agencies or organizations in the EU member states will be further scrutinized once the new GDPR regulations come into effect this month,” Chris Sawyer, President of Sunryse Information Management explained. 

“Businesses in The Bahamas must look at their overall process and have a handle on what personal information is being gathered from clients be that names, emails addresses, credit card details, banking information, insurance details or any other personal details specific to that individual. There also has to be a clear understanding of the chain of command as the data moves from the customer through various channels within your organization. Once collected, it is also important to determine how a company manages the information now in its possession. 
Careful consideration should be given to obtaining consent from clients when passing client data between entities.”

For organizations in The Bahamas, conducting business with EU clients or customers where there is any exchange of goods or services or if the company is monitoring the behavior of persons based in the EU, the responsibility of compliance ultimately rest with the organization gathering the information. 

The first step towards determining compliance is to become knowledgeable about the new regulations. Next, Sunryse urges its own clients to evaluate their current data collection and retention policies.  Under the new regulations, individuals have the right to access and review their personal data.   The company collecting the information must correct all inaccuracies and erase any information that an individual requests to be removed or redacted. Individuals can also object to being solicited through direct marketing based on information collected and have the right to move data collected to another entity.  With this in mind, local companies impacted by the new GDPR regulations must determine how they will organize and store information in a way where it is secure and can be easily provided upon the request of a client or a consumer. 

 Putting a comprehensive plan in place to manage data throughout its complete lifecycle—from collection, retention and destruction of records on client request will be pivotal to ensure compliance is met.  Having automated processes with built-in restrictions in place further protects client data and reduces the chances of companies becoming non-compliant. 

 To learn more and  conduct a free data impact assessment visit

Chris Sawyer