The Jamaican Data Protection Act 2020 has been in force since the end of its transition period. Every Caribbean firm reading this article is either subject to it directly, subject to a comparable regional act, or doing business with parties that are. This article does not summarise the legislation — there are competent legal summaries available elsewhere. It addresses the question Caribbean boards actually need answered: what does the firm have to do differently on Monday morning, and how does the firm know it is doing it?

Note: This article addresses operational data-protection practice and is not legal advice. Where the Act’s interpretation is material to a particular decision, the firm should consult qualified counsel. Dawgen Global’s role is advisory and operational; the firm’s legal advisors remain the appropriate source for legal opinion on the Act’s specific application.

The query that returned more than expected

In March 2026 we began a Data Protection Operational Readiness Review at a Caribbean professional services firm with eighty staff, a regional client book, and a forty-year history of careful record-keeping. The engagement opened, as these reviews always do, with a simple discovery exercise: produce a list of every place the firm currently holds personal data, classified by source, by purpose, and — critically — by the date on which the firm last had a legitimate need to hold it.

The firm’s IT director, asked to run the query against the firm’s file storage, returned to the meeting two days later with a single number on a printed page: 41,287. That was the count of client files the firm was still actively storing, in folders dated by year of engagement, going back to 2007. The firm had been founded in 1986 and had migrated its file storage twice in the intervening four decades — once from physical filing cabinets to a server in 2007, and once from that server to its current cloud platform in 2018. At each migration the firm had carried forward everything. Nothing had ever been deliberately deleted.

Of the 41,287 files, the firm had, on inspection, a clear ongoing professional, regulatory, or commercial justification for retaining roughly twelve thousand. Another nine thousand or so had reasonable arguments for retention that the firm could make if challenged — files relating to clients with whom the firm had ongoing relationships, files connected to matters with potential long-tail liability, files the firm’s external regulators required to be held for a specified period. The remaining twenty thousand files were, by the firm’s own honest assessment, files the firm had simply never thought to delete. Client engagements concluded between 2007 and 2019, with no current relationship, no pending matter, no retention obligation. The firm was, in the Act’s exact language, holding personal data “longer than is necessary for the purposes for which the data are processed.”

None of this was a breach. The firm had not lost any data; it had not been investigated by the Office of the Information Commissioner; it had not, to anyone’s knowledge, ever been challenged on its retention practices. What it was — and what most Caribbean SMB data-protection findings turn out to be — was the slow accumulation, across decades, of decisions never made. The Data Protection Act 2020 does not require the firm to keep data; it requires the firm to delete data when the firm no longer has a basis to hold it. Most Caribbean firms have invested significantly in keeping data and almost nothing in deleting it.

The managing partner, asked at the close of the discovery phase whether the finding troubled him, gave the answer this article exists to honour. “It doesn’t trouble me as a finding,” he said. “It troubles me as evidence that we have never set a retention policy, in forty years, because nobody ever told us we had to. Now we have to. I’d rather have learned this from you than from the Information Commissioner.”

The Data Protection Act 2020 does not require the firm to keep data. It requires the firm to delete data when the firm no longer has a basis to hold it. Most Caribbean firms have invested significantly in keeping data and almost nothing in deleting it.

1. The Data Protection Act 2020 in operational language

The Act is structured around eight Data Protection Standards, each of which is written in the careful, slightly abstract language that legislation requires. The legal summaries do a competent job of paraphrasing them. The operational translation — what each standard means for what the firm has to do, in plain practice — is what the legal summaries omit, and what this section provides.

The Eight Standards, translated

Standard 1 — Lawful, fair, and transparent processing. Operationally: every category of personal data the firm holds must be traceable to a specific reason the firm has it, and the people whose data it is must have been told, at some point, what the firm intended to do with it. If the firm cannot answer the question “why are we holding this?” for a given record, the firm is non-compliant on Standard 1 by definition.

Standard 2 — Specified, explicit, and legitimate purposes. Operationally: each category of personal data must be linked to a specific use, and the firm must not extend the use beyond what was originally specified. Client data collected for an audit engagement should not be used for the firm’s general marketing without a new basis being established.

Standard 3 — Adequate, relevant, and not excessive. Operationally: the firm should not collect more personal data than it actually needs. A common Caribbean SMB failure mode is to use the same intake form for every type of engagement, regardless of whether the engagement actually requires every field on the form. Each unnecessary field collected becomes a Standard 3 exposure.

Standard 4 — Accurate and current. Operationally: the firm has a positive obligation to keep personal data accurate and up to date. For a firm with long-standing client relationships, this means periodically confirming contact details, ownership structures, and other material facts. The Act does not specify the cadence; reasonable practice is annual confirmation for active relationships.

Standard 5 — Data subject rights. Operationally: data subjects (the people whose data the firm holds) have rights to access, correct, and in some cases delete their data. The firm must have a process for receiving and responding to such requests within statutory timeframes. Most Caribbean SMBs have not been asked to respond to a formal data subject request yet; almost none have a documented process for when the first one arrives.

Standard 6 — Retention. Operationally: the firm shall not hold personal data for longer than necessary. The opening anecdote of this article was a Standard 6 finding. Most Caribbean SMB data-protection exposure lives here, and §3 of this article addresses retention as its own structural element.

Standard 7 — Appropriate technical and organisational measures. Operationally: the firm must protect the personal data it holds with reasonable security controls — encryption where appropriate, access controls, audit logging, breach detection. Article 2.2 of this series addresses the access-layer dimension of Standard 7; Article 2.4 will address the backup-and-recovery dimension.

Standard 8 — International transfers. Operationally: personal data should not be moved outside Jamaica (or comparable cross-border equivalents) without adequate safeguards. For Caribbean firms using US-based cloud services, this is the standard that most often surprises the board — and the one whose technical handling requires the most care, particularly for firms whose Microsoft 365 or Google Workspace tenants are hosted regionally.

These eight standards, taken together, define what the Act requires. The firm’s compliance with each is testable — meaning that for each standard, a Caribbean SMB can produce evidence that it is complying, or it cannot. A firm that can produce evidence on all eight is in operational alignment with the Act. A firm that cannot is exposed, even if no incident has yet surfaced the exposure.

 

2. The four data states — and the one most firms have never thought about

The standard framework for thinking about data protection, used in security literature for decades, is the three-state model: data at rest, data in transit, and data in use. This framework is correct as far as it goes; it has not, in our experience, gone far enough for the Caribbean SMB context.

There is a fourth state, structurally distinct from the other three, and it is where most Caribbean SMB data-protection exposure actually lives. We call it data in retention — data the firm is still holding after the legitimate basis for holding it has expired. This is the state the Sixth Standard of the Act addresses, and the state every Caribbean SMB has more of than it realises.

 

Data State	What the firm must do, and what usually goes wrong
At Rest	Personal data stored on the firm’s systems — file servers, cloud storage, databases, archived emails, backup media. What usually goes wrong: data at rest is the state most Caribbean SMBs have done the most about (encryption is increasingly default at the platform layer) and the state where most still have unmonitored exposure (the personal copy on the founder’s laptop, the spreadsheet exported to a USB drive that travelled to the auditor’s office, the file uploaded to a personal cloud account by a staff member). At-rest protection at the platform layer is necessary but not sufficient.
In Transit	Personal data moving between systems, between the firm and its counterparties, or between staff members and external recipients. What usually goes wrong: data in transit is sent through whichever channel is most convenient for the sender. Client documents are emailed as attachments rather than shared through controlled platforms. Bank-account details are sent through SMS or WhatsApp. Sensitive information is shared with the auditor through a free file-sharing service whose terms of use were never read. Each of these is a Standard 7 finding waiting to happen. Article 1.5 of this series addressed one specific dimension of this — email authentication — and the broader pattern requires the firm to have a deliberate position on which channels are acceptable for which categories of data.
In Use	Personal data being actively processed by staff or systems — open on screens, printed in meeting packs, discussed in conversations, displayed in dashboards. What usually goes wrong: data in use is the state that authorisation (per Article 2.2) constrains. The staff member who can technically open every client file is — at the moment of opening one — processing data in use, and the question of whether they should be allowed to is a Standard 1 and Standard 2 question. Every Caribbean SMB has staff who have access to data they have never actually opened; the question of whether they should have had the access in the first place is what the access review surfaces.
In Retention	Personal data the firm is still holding after the legitimate basis for holding it has expired — Standard 6 territory. Every Caribbean SMB has data in retention. The opening anecdote of this article was a retention finding at scale. The Sixth Standard of the Act is the only one that requires the firm to take active action to delete data — every other standard can be satisfied by maintaining good practice on data the firm has decided to keep. Retention requires the firm to make a positive decision to stop keeping. This is the data state where Pillar 2’s Lingerers framework (from Article 2.2) directly applies: data in retention is the data equivalent of a Lingerer, and naming the category is the first step to addressing it. The audit in §5 of this article addresses retention directly.

 

The parallel with the four-lifecycle framework from Article 2.2 is deliberate. Pillar 1 had its four patterns, four archetypes, and three phases; Pillar 2 has its four postures, four lifecycle stages, and now four data states. Each pillar’s frameworks are arranged so that the fourth category in each is the one Dawgen Global names because the standard literature omits it. Lingerers in IAM are data in retention in data protection. The conceptual move is the same: the standard framework covers what is in motion or under management; the firm’s actual exposure is in what has accumulated without ever being addressed.

 

3. Retention — the largest single area of Caribbean SMB DPA exposure

Across the data-protection reviews we have completed at Caribbean SMBs since the DPA 2020 came into force, the Sixth Standard — retention — produces more findings, of higher materiality, than any of the other seven standards combined. This is not because retention is the most legally important standard. It is because retention is the only standard that requires the firm to take active, recurring action — to delete what it no longer needs — and active recurring action is what Caribbean SMBs find hardest to maintain. Encryption is set up once. Access controls are set up once. A retention policy has to be re-applied every quarter, every year, for the life of the firm.

The firm in the opening anecdote was not unusual. The 41,287 client files figure is at the upper end of what we typically find at a forty-year-old firm, but the proportion — roughly half of the firm’s stored data being retained without a documented basis — is in line with the median across our engagements. A ten-year-old firm with twenty staff and a single shared file server typically has between three and seven thousand files in retention. A twenty-year-old firm with one hundred staff and a cloud-storage platform typically has between fifteen and forty thousand. The numbers vary; the proportions do not.

What a retention policy actually looks like at Caribbean SMB scale

A retention policy, at SMB scale, is not a complex legal document. It is a one-page document, written in plain English, that states for each category of personal data the firm holds (a) the legitimate basis for holding it, (b) the period for which the basis applies, and (c) what happens to the data at the end of that period. For a typical Caribbean professional services firm the document might have fifteen to twenty-five categories of data — client engagement files, employee records, supplier payment records, prospect contact lists, marketing-event attendee lists — each with a retention period ranging from “seven years after engagement closure” (which is common for audit and tax records under separate regulatory frameworks) through “two years after the relationship ends” (typical for prospect lists) to “deleted on departure” (typical for some categories of employee data).

The policy itself is the simple part. The discipline of applying it — running a quarterly review against the firm’s storage and actually deleting what has aged past its retention period — is the part most Caribbean SMBs have never built. The opening anecdote’s firm had a perfectly defensible retention policy that none of the partners could remember having seen; the issue was not the absence of the policy but the absence of the discipline that the policy implied. The audit in §5 of this article addresses both: the policy must exist, and it must be operating.

Deletion is a positive action, not a passive state

The Act’s Sixth Standard requires the firm to delete data that has aged past its retention period. “Delete” in this context means actively remove the data from every location the firm holds it — production systems, backup media, archived offsite copies, exported reports sitting in someone’s mailbox, copies on individual staff machines. A firm that has deleted client files from its main file server but has not addressed the seven-year-old backup that still contains them has not, in operational terms, deleted the data. It has merely moved the exposure.

This is why the discipline is recurring. A retention policy that is applied once and never re-applied produces, over a decade, exactly the situation the opening anecdote describes. The deletion has to happen quarterly, against the policy, with the deletion verified across every location the firm’s data lives. Most Caribbean SMBs do not have a deletion practice. They have a retention practice — they have decided what to keep — but they have not decided what to stop keeping, and they have certainly not built the recurring discipline that stopping keeping requires.

 

4. What good looks like at Caribbean SMB scale

As with Article 2.2’s IAM framework, the advice in this section is deliberately scaled to Caribbean SMB reality — thirty to two hundred staff, one IT person, running on M365 or Google Workspace, with a finance system and a small number of SaaS applications. Five components define what operational data protection looks like at that scale.

A. A named Data Protection Owner

A single named senior individual at the firm is the owner of data protection. The Act uses the term “Data Protection Officer” in some contexts; the title matters less than the accountability. In most Caribbean SMBs this person should not be the IT consultant (who handles the technical controls) or the firm’s external lawyer (who handles the legal interpretation). It is typically a senior internal manager — operations, compliance, finance, or risk — whose accountability is documented in writing and whose name is known to the board. As with the access-layer owner from Article 2.2, the position is governance, not technical.

B. A data inventory — by category, by location, by basis

The firm can produce, on demand, a list of the categories of personal data it holds, the locations in which each category is held, and the legitimate basis on which each category is retained. The inventory is not a spreadsheet of every individual record; it is a one-page map of the firm’s data estate. The depth required is enough to answer the question “do we have a basis for holding this?” for any specific category. Most Caribbean SMBs we engage with do not have this inventory; building it is the first deliverable of an operational readiness review.

C. A written retention policy, applied quarterly

The retention policy described in §3 above exists, is documented, has been approved by the Data Protection Owner, and is applied in practice on a defined schedule — at minimum quarterly, with annual full-cycle review. The application is the test, not the existence.

D. A written process for data subject requests

When a data subject — a client, a former client, an employee, a contractor — exercises their rights under the Act (to access their data, to correct it, to request its deletion), the firm has a written process for receiving the request, identifying the data, responding within statutory timeframes, and documenting the response. The process should fit on a single page. The first time it is used is the test.

E. A written breach response process, rehearsed annually

In the event of a personal data breach, the firm has a documented process for assessing, containing, and reporting the incident within the statutory timeframe (currently 72 hours for high-risk breaches under the Act). The process should name the people in the room when a breach is suspected, the assessment criteria, and the notification thresholds. A tabletop exercise at least annually tests the process before a real incident does.

 

5. The Six-Question Data Protection Audit

This is the third audit of Pillar 2 and the seventh of the series overall. As with the previous audits, the questions should be put to the board and the firm’s Data Protection Owner together. If Question 1 cannot be answered — if there is no such named individual — the audit pauses there and the firm has its first action item from the article.

 

#	Question for the Board (with the Data Protection Owner)	What “Pass” Looks Like
1	Can the board name, today, the single individual who is the firm’s Data Protection Owner — and does that individual know it is them?	Yes — name spoken from memory, accountability acknowledged in writing.
2	Can the firm produce, on twenty-four hours’ notice, a one-page inventory of the categories of personal data it holds, the locations in which each is held, and the legitimate basis for each?	Yes — single-page inventory exists, dated within 90 days.
3	Does the firm have a written retention policy that has been applied — actual deletions performed — within the last three months?	Yes — policy exists, last applied within 90 days, deletions logged.
4	Does the firm have a written process for responding to a data subject request — and has anyone in the firm walked through it in the last twelve months, whether or not a real request was received?	Yes — written process exists, walkthrough or real use within 12 months.
5	Does the firm have a written breach response process that names, by role, the people who would be in the room when a breach is suspected — and has it been rehearsed in the last twelve months?	Yes — written process exists with named roles, tabletop within 12 months.
6	What categories of personal data is the firm currently holding for which it would, on honest inspection, struggle to state a current legitimate basis — and what is the plan to address them?	Specific categories named, with a written remediation plan and dates. “None” is acceptable only if Questions 2 and 3 passed.

 

A firm that passes all six questions is operating in alignment with the Act and, importantly, has the discipline in place to remain so as the data estate evolves. A firm that passes three or four is in transition. A firm that passes one or two is operating in the position most Caribbean SMBs are in today — exposed not by malicious intent but by absence of recurring practice. The audit does not produce a legal opinion on the firm’s DPA compliance; it produces an honest map of where the firm currently stands operationally, which is the starting point for the substantive work.

 

6. A brief note on the regional landscape

This article has been written principally around the Jamaican Data Protection Act 2020 because that is the Act under which most of Dawgen Global’s clients operate and on which our practice has the deepest engagement. The operational principles described above translate directly, with appropriate modification, to the equivalent regional legislation in the territories where the firm also operates.

Barbados’s Data Protection Act 2019 came into force in 2021 and follows a structurally similar approach, with eight data protection principles closely paralleling Jamaica’s eight standards. Trinidad and Tobago’s Data Protection Act 2011 has been partially proclaimed and remains in incomplete implementation; the parts that are in force are substantively similar in their operational requirements. The Cayman Islands’ Data Protection Law 2017 follows the European GDPR pattern more closely and is, in some respects, more demanding. Across the wider region — including Bermuda, the Bahamas, and the Eastern Caribbean territories — data protection legislation is either in force, in implementation, or in active legislative development. Within five years, every Caribbean territory in which a Dawgen Global client of meaningful size operates will have substantive data protection law in force.

The point for a Caribbean board is therefore not which specific Act applies — almost every Caribbean firm is now subject to at least one — but that the operational disciplines described above are required regardless of which Act applies. A firm that has built the practice for Jamaica’s DPA 2020 will, with minor adjustments, be in operational alignment with the equivalent Acts in the firm’s other territories. The five components of §4 are jurisdiction-neutral. The retention policy, the data subject request process, the breach response process, the Data Protection Owner — these are operational disciplines that any Caribbean data-protection regime will recognise.

 

7. Where to go from here

The right starting move, after reading this article, is not to invest in new data-protection technology. The right starting move is to convene the board and ask, honestly, which of the eight Data Protection Standards the firm could currently produce evidence of complying with. Most Caribbean SMBs will find they can produce confident evidence on two or three. The remaining five or six are the substantive Pillar 2 data-protection work that this article and the next three address.

Article 2.4 — “Backup, Recovery and Operational Continuity for the Caribbean SMB” — examines what happens when the systems holding the firm’s data fail, and how the firm should plan for the recovery. The connection to the Data Protection Act is direct: a firm that cannot recover its data has, in the language of Standard 7, failed to maintain the appropriate technical and organisational measures the Act requires. Pillar 2’s spine — who has access, what they do with what they access, how the firm keeps what it must, and how it recovers when it must — continues into Article 2.4.

 

WHERE TO GO FROM HERE Name the Data Protection Owner. Build the inventory. Set the retention policy. Through Dawgen Global Technologies, the firm now offers three scoped Pillar 2 engagements: the Access Inventory Audit introduced in Article 2.2, the Cybersecurity Posture Review introduced in Article 2.1, and — new with this article — the DPA 2020 Operational Readiness Review. The Review is a two-week fixed-price engagement that maps the firm’s current state against the eight Data Protection Standards, produces the inventory and retention policy described in §4, and delivers a remediation roadmap with named owners and target dates. The Review is designed to leave the firm with operational artefacts rather than a binder. Billing in USD or JMD, Caribbean-based support, with engagement-partner oversight from Dawgen Global throughout. dawgentechnologies.com Or write to [email protected] to arrange a DPA 2020 Operational Readiness Review through your Dawgen Global engagement team.

Author

Dr. Dawkins Brown is the Executive Chairman and Founder of Dawgen Global, an independent integrated multidisciplinary professional services firm headquartered in New Kingston, Jamaica, operating across 15+ Caribbean territories. Dawgen Global Technologies is the firm’s web-services line, delivering domains, hosting, professional email, Microsoft 365, SSL, websites, security and backups across the region.

 

About The Caribbean Digital Foundations Series

The Caribbean Digital Foundations Series is a 30-article thought leadership programme published by Dawgen Global on its blog (dawgen.global/blog) through 2026. The series is organised into five pillars — Foundations, Trust & Security, Presence & Performance, Productivity & Collaboration, and Commerce & Growth — and is designed to bring the same governance lens Dawgen Global applies to audit, tax and advisory engagements to the web-services decisions every Caribbean SMB must now make.

This is Article 2.3 of the series, the third article of Pillar 2 (Trust & Security). It follows Article 2.1 (“The Caribbean Cybersecurity Posture: Beyond Antivirus”) and Article 2.2 (“Identity and Access Management for the Caribbean SMB”), and is followed by Article 2.4 (“Backup, Recovery and Operational Continuity for the Caribbean SMB”).

This article addresses operational data-protection practice and is not legal advice. Where the Data Protection Act 2020’s interpretation is material to a particular decision, the firm should consult qualified counsel.

 

© 2026 Dawgen Global  |  Big Firm Capabilities. Caribbean Understanding.

 

About Dawgen Global