European Union “General Data Protection Regulation” applicable in Curaçao as of 25 May 2018

Willemstad, 7 May 2018 – The protection of personal data is fundamental to every individual. Worldwide people have become increasingly concerned about their (online) privacy, especially in view of developments in the cyber world in recent years. As of 25 May the so called European Union’s General Data Protection Regulation (GDPR) will enter into force. Curaçao will also have to comply with the rules for data protection as established in this regulation, GDPR (www.eugdpr.org).

This entails that this regulation is also applicable to all organizations, whether it be governmental, private or non-profit, that have databanks consisting of data/information (digital or hard copy) of people residing or working in or traveling through the EU. Non-compliance of the GDPR may lead to penalty fees amounting up to millions of euros.

Despite the acceptance of the regulation in 2016, many organizations have not started taking the necessary steps to achieve compliance until now.

Consequently the government of Curaçao, Bureau Telecommunicatie en Post (BT&P) and Cyberbloc have started an awareness campaign aimed at all parties affected by the GDPR. The purpose of the campaign is to create awareness on the minimum GDPR requirements that need be met as of 25 May to mitigate the short term repercussions of GDPR and in turn to proceed with the trajectory towards full GDPR compliance.

GDPR in short

GDPR allows for a better protection of all personal data of the data subject and an increased control of his information saved in data banks. This enables the data subject to access, request to adapt or even to remove his data from the data bank, if desired. Examples of what constitutes as personal information are: telephone numbers, an email address, purchasing behavior, drivers’ license numbers, bank account numbers, login and password for websites, employee information, medical information and even an IP address.

The purpose of the regulation is to avoid data abuse. Some extreme examples of data abuse the GDPR regulation aims to mitigate is the selling of personal information on the black market and even for extortion purposes.

It is imperative to create enough awareness on the consequences for organizations in case of a breach in their databank and what happens if the competent European authorities are not notified within the maximum 72 hour time frame allowed. Non-compliance can lead to penalty fees that can amount up to a maximum of 20 million euro or 4% of the organization’s world turnover.

Curaçao and GDPR

Research has shown that an average of 50% of organizations in Europe can comply with the established rules of the GDPR. In the Caribbean, including Curaçao, this average lies between 5 and 7 %.

Apart from Curaçao residents that enjoy the privileges that come with this regulation, there are many organizations with commercial ties and interaction with Europe. It is therefore essential that local companies prepare thoroughly and take the necessary measures to comply with at least the basic requirements. Various sectors and specific organizations, in anticipation of the regulation entering into force on May 25th, have started an internal evaluation of their current data protection procedures by executing risk assessments to acquire a sense of the extent to which they comply.

Cyberbloc is one of the organizations actively involved in the awareness campaign on GDPR for the community of Curaçao and can also provide internal self-assessment and risk analysis support services in preparation for the GDPR.

New employment opportunities

With the introduction of GDPR not only comes a set of requirements and rules organizations must abide by, but the new regulation also brings new job opportunities. As a result of GDPR many companies will be forced to train their staff or to hire additional supporting staff to ensure the protection of personal data. BT&P, as a regulation authority and organization responsible for safeguarding cyber security, is in the midst of preparations to provide training and certification to those who will be working in these positions.

Awareness campaign for the community

To create more awareness for GDPR and its repercussions, the government of Curaçao, BT&P and Cyberbloc have joined forces. Through their collaboration the organizations involved hope to facilitate all the information required for a proper preparation towards the date of effective enforcement of the regulation and subsequently help the community accomplish a smooth implementation process. With proper and timely preparation and thorough internal evaluations and risk analyses businesses should be able to at least comply with the minimum applicable requirements on 25 May and establish the right framework for the subsequent process that should lead to full compliance with GDPR.

For more information the Cyberbloc website can be consulted, www.cyberbloc.com. The BT&P website will also provide useful information, btnp.org. In addition more in-depth and detailed information will be provided in the various media regarding the objective of the regulation, its content, advice on the best approach towards implementation, but also how to ensure compliance with at least a few basic requirements of the GDPR.

For questions feel free to contact one of the BT&P experts on +(599-9) 463-1700 or e-mail to info.gdpr@burtel.cw

(Source: BT&P press release_ENG. BT&P press release NL. BT&P press release PAP. BT&P Publication period: 2018)