On May 25th, 2018, the European Union (EU) will implement its General Data Protection Regulation (GDPR) in all member states.
While the new regulations will directly impact EU countries, implementation could also affect Bahamas-based organizations conducting business with entities falling under the arc of the regulations.
Sunryse Information Management, a data management firm based in Nassau, says local companies failing to comply with specific data collection guidelines as outlined in the GDPR regulations while engaging with EU companies could be subject to face stiff fines of up to €20 million or 4 per cent of their annual revenue.
President of Sunryse Information Management Chris Sawyer said, “How companies collect, store and eventually destroy data from agencies or organizations in the EU member states will be further scrutinized once the new GDPR regulations come into effect this month.
“Businesses in The Bahamas must look at their overall process and have a handle on what personal information is being gathered from clients be that names, emails addresses, credit card details, banking information, insurance details or any other personal details specific to that individual.
“There also has to be a clear understanding of the chain of command as the data moves from the customer through various channels within your organization. Once collected, it is also important to determine how a company manages the information now in its possession. Careful consideration should be given to obtaining consent from clients when passing client data between entities.”
Sawyer started Sunryse Information Management 18 years ago with the goal of helping companies properly dispose of confidential information through shredding.
Since then, the data management company has expanded services to include secure storage of physical client files and also digitizing client documents for clients seeking to store and manage information digitally.
For organizations in The Bahamas, conducting business with EU clients or customers where there is any exchange of goods or services or if the company is monitoring the behavior of persons based in the EU, the responsibility of compliance ultimately rest with the organization gathering the information.
The Sunryse team continues to work with its clients to ensure compliance by the GDPR implementation date and offers the following tips to local businesses impacted by the new regulations.
The first step towards determining compliance is to become knowledgeable about the new regulations. Next, Sunryse urges its own clients to evaluate their current data collection and retention policies.
Under the new regulations, individuals have the right to access and review their personal data. The company collecting the information must correct all inaccuracies and erase any information that an individual request to be removed or redacted.
Individuals can also object to being solicited through direct marketing based on information collected and have the right to move data collected to another entity.
With this in mind, local companies impacted by the new GDPR regulations must determine how they will organize and store information in a way where it is secure and can be easily provided upon the request of a client or a consumer.
Sunryse encourages companies to put a comprehensive plan in place to manage data throughout its complete lifecycle—from collection, retention and destruction of records on client request.
Having automated processes with built-in restrictions in place further protects client data and reduces the chances of companies becoming non-compliant.