Compliance Reference
Three jurisdictions. Three distinct laws. One platform built to handle all of them correctly — not adapted from a GDPR template. This page explains exactly how Aegis intersects with each law, written for DPOs and decision-makers, not lawyers.
Barbados
Data Protection Act, Cap. 308D (2019)
Built from the ground up for the Barbados DPA 2019. Every rule, deadline, and gap analysis flag in the platform references the Act directly — not a GDPR approximation.
The distinction matters. The Barbados DPA has its own legal basis structure (ss.6–12), its own breach notification clock (s.26), its own DSR deadline trigger (from identity verification, not receipt), and its own sector-specific overlays through the FSC. Generic GDPR tools do not handle these correctly. Aegis does.
Any person or organisation — private or public — that processes personal data of individuals in Barbados. This includes all private sector businesses, government ministries, statutory bodies, NGOs, and non-profit organisations operating in or connected to Barbados.
There is no "small business exemption" in the DPA 2019. Size does not determine obligation — if you handle personal data, the Act applies.
The Breach Management module Module 03 starts the 72-hour clock the moment you log an incident — consistent with s.26 of the DPA 2019, which requires notification to the Commissioner from the point of awareness, not from investigation or confirmation.
The module walks you through severity classification, documentation of the breach scope, risk assessment, and generates the Commissioner notification form as a completed Word document. It also handles the FSC's separate 4-hour major incident notification requirement for regulated financial entities, which runs from classification — not from awareness.
Because that is what s.23 of the Barbados DPA 2019 requires. The 30-day response window runs from the date you have verified the requester's identity — not from the date their request was received. This is one of the most commonly misapplied rules in Caribbean compliance practice.
The Data Subject Requests module Module 08 handles this correctly: the deadline clock does not start until identity verification is logged. This protects you from artificially short response windows that inflate non-compliance risk.
Sections 6–12 of the DPA 2019 set out the conditions under which personal data may be lawfully processed. A separate legal basis must be identified for each processing activity. Selecting a single basis and applying it across all processing — or relying on consent as a default — is a compliance error.
Aegis enforces multi-basis selection throughout the platform. The Consent & Legal Basis Register Module 05 and Data Flow Mapping module Module 01 both require a specific basis to be assigned per activity. The gap analysis engine flags any processing activity recorded without a valid basis.
All 11 modules are built around Barbados DPA 2019 obligations as the baseline. The most directly mapped are:
Yes. The Financial Services Commission of Barbados imposes additional data and cyber incident obligations on licensed financial entities — most notably the 4-hour major incident notification requirement. This runs from the point of classification, not from initial awareness.
The Breach Management module Module 03 handles both the DPA 2019 72-hour Commissioner notification and the FSC 4-hour clock as parallel workflows, generating separate notification documents for each regulator.
Jamaica
Data Protection Act, 2020
Both Acts are grounded in similar principles — lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity — but they differ in structure, regulator, and specific procedural requirements.
Key differences include: Jamaica's Act is administered by the Office of the Information Commissioner (OIC), not a dedicated Data Protection Commissioner. The commencement of the Jamaica DPA 2020 has been phased, with different provisions coming into force at different times. Some obligations that are fully live in Barbados remain in transitional status in Jamaica. Aegis accounts for these differences and does not apply Barbados-specific rules to Jamaica compliance workflows.
Any data controller or data processor that processes personal information of individuals in Jamaica. This includes Jamaican-registered organisations and foreign entities whose processing activities directly affect individuals in Jamaica.
The Act applies to both the private and public sector, though certain government entities have modified obligations in respect of national security and law enforcement functions.
Organisations operating under the Jamaica DPA 2020 can select Jamaica as their jurisdiction within Aegis. The platform then applies Jamaica-specific logic: OIC notification templates for breach reporting, Jamaica-aligned DSR response workflows, and document outputs that reference the correct Act and regulator.
For organisations operating in both Barbados and Jamaica, Aegis supports multi-jurisdiction configuration — allowing separate compliance tracks to run in parallel under a single platform instance.
Yes. The platform's Jamaica compliance logic reflects which provisions are currently in force and which remain in transitional status. We monitor OIC guidance and update the platform as further provisions commence. Early access participants will be notified of any material changes affecting their Jamaica compliance workflows.
Grenada
Personal Data Protection Act, 2023
The Grenada Personal Data Protection Act 2023 is the most recently enacted data protection law among the three jurisdictions Aegis currently supports. It applies to any entity that processes personal data of individuals in Grenada — public and private sector — and reflects a modern data protection framework with similarities in structure to both the Barbados and Jamaica Acts.
As the newest of the three laws, some implementing regulations and regulatory guidance from the designated supervisory authority remain in development. Aegis tracks these developments and updates platform logic accordingly.
Organisations selecting Grenada as their jurisdiction receive PDPA 2023-aligned compliance workflows — including Grenada-specific breach notification templates, DSR management, and document outputs that reference the correct Act. Core obligations around lawful basis, data subject rights, and breach notification are fully supported.
As the Grenada supervisory authority issues further regulatory guidance, Aegis will update its Grenada compliance logic. Platform updates affecting Grenada workflows are communicated to relevant early access participants directly.
Yes. Organisations operating across Barbados, Jamaica, and Grenada — or any combination — can run parallel compliance tracks within a single Aegis instance. Each jurisdiction's rules, deadlines, document templates, and regulator notification workflows are kept separate and correctly applied.
For CARICOM-wide operations, Aegis is the only platform that handles all three currently enacted Caribbean data protection laws without requiring separate tools or manual adaptation for each jurisdiction.
Yes. The platform roadmap includes full CARICOM coverage as additional jurisdictions enact data protection legislation. Trinidad and Tobago, Saint Lucia, and the Eastern Caribbean states are in view for future platform versions.
Early access participants will have direct input into which jurisdictions are prioritised for expansion. If your organisation has multi-jurisdiction requirements not yet covered by the current three, please note this in your early access application — it directly informs the V2 roadmap.
Aegis handles the jurisdictional complexity so you don't have to. Request early access and see how the platform manages your specific compliance obligations — by name, by section, by deadline.