The data protection and privacy legislative landscape is continuously evolving. In the Caribbean, in particular, it is important for organisations to understand their compliance obligations, as they expand their customer base and trade borders. DPO Caribbean provides a range of data protection solutions including data protection officer (DPO) services, data protection representative services, policy and legislation services, and consultancy.
This page is not intended to provide legal advice; it is only intended to provide general information about data protection and privacy legislation in select jurisdictions in the Caribbean and the rest of the world.
DPO Caribbean provides a comprehensive overview of the state of data protection and privacy legislative laws in countries in the region.
Please visit our DPO Digest Page for further discourse on the region's developments in data protection and privacy.
Anguilla Data Protection Law
Entry into Force: N/A
Regulatory Authority: N/A
Overview: There is currently no data protection legislation for Anguilla. The Constitution provides for the fundamental rights and freedoms concerning the protection for the private and family life of a person.
Antigua and Barbuda Data Protection Act, 2013
Entry into Force: On Assent
Regulatory Authority: Information Commissioner
Overview: The DPA promotes the protection of personal data processed by public and private bodies and promote transparency and accountability by providing for certain data subject rights, privacy and data protection principles, and conferring on the Information Commissioner the role of carrying out and enforcing the protection of data pursuant to the Act.
Bahamas Data Protection (Privacy of Personal Information) Act, 2003
Entry into Force: 2007
Regulatory Authority: Office of the Data Protection Commissioner
Overview: The Act seeks to protect the privacy of individuals concerning personal data and to regulate the processing of certain information relating to individuals by providing for data subject rights, obligations of data controllers and conferring on the Data Protection certain roles pursuant to the Act.
Barbados Data Protection Act, 2019
Entry into Force: March 2021, with certain exceptions
Regulatory Authority: Data Protection Commissioner
Overview: The Act regulates the processing of personal data and the protection of the individual privacy of individuals in relation to their personal data by providing for data protection principles, rights of data subjects, obligations of data controllers and data processors, and conferring the role of the Data Protection Commissioner.
Belize Data Protection Act, 2021
Entry into Force: by Order in the Gazette
Regulatory Authority: Data Protection Commissioner
Overview: The Act regulates the processing of personal data and the protection of the privacy of individuals in relation to their personal data by providing for the rights of data subjects, data protection principles, obligations of data controllers and processors, conferring the role of the Data Protection Commissioner, and establishing the Data Protection Tribunal.
Bermuda Personal Information Protection Act, 2016 and
Personal Information Protection Amendment Act 2023
Entry into Force: Partially in force. Fully in force on 1 January 2025
Regulatory Authority: Privacy Commissioner
Overview: The Act regulates the processing of personal information by establishing the Privacy Commissioner, specifying certain obligations of organisations, general principles and rules regarding data protection, rights of individuals, and certain exclusions of the Act.
Entry into Force: 9 July 2021
Regulatory Authority: Office of the Information Commissioner
Overview: The Act regulates the protection of personal data processed by public and private bodies by establishing the OIC, specifying privacy and data protection principles, rights of data subjects, and certain obligations of data users and data processors.
The Cayman Islands Data Protection, 2021 Revision
Entry into Force: 30 September 2019
Regulatory Authority: The Ombudsman
Overview: The Act regulates the processing of personal data and the protection of the privacy of individuals in relation to their personal data by providing for the rights of data subjects, data protection principles, obligations of data controllers and data processors, and conferring the role of the Ombudsman.
Cuba Personal Data Protection Act, 2022, Ley No. 149
De Protección De Datos Personales
Entry into Force: February 2023
Regulatory Authority: The Ministry of Justice (El Ministro de Justicia)
Overview: The Act regulates the right of individuals to the protection of their personal data by specifying data protection principles, obligations in relation to the use and processing of personal data by public and private persons or entities, and information of a nature public nature.
Dominica Data Protection Law
Entry into Force: N/A
Regulatory Authority: N/A
Overview: No data protection legislation for Dominica was identified. The Constitution, provides for the fundamental rights and freedoms concerning the protection for the privacy of a person's home and other property.
Dominica Republic Protection of Personal Data Law, Law No. 172-13 for the Protection of Personal Data
Entry into Force: N/A
Regulatory Authority: The Ombudsman, and in relation to SICs, the Superintendent of Banks.
Overview: The Act regulates the privacy of individuals and the protection of personal data recorded in archives, public records, data banks or other technical means of data processing intended to provide reports, whether public or private.
Grenada Data Protection Act, 2023
Entry into Force: by Order in the Gazette
Regulatory Authority: Information Commission
Overview: The Act seeks to promote the protection of personal data processed by public and private bodies by establishing the Information Commission, specifying privacy and data protection principles, rights of data subjects, and certain obligations of data users and data processors.
Guyana Data Protection Act, 2023
Entry into Force: by Order in the Gazette
Regulatory Authority: Data Protection Office
Overview: The Act regulates the processing of personal data and the protection of the privacy of individuals in relation to their personal data by providing for the rights of data subjects, data protection principles, obligations of data controllers and data processors, establishing the Data Protection Office, and conferring the role of the Data Protection Commissioner.
Haiti Data Protection Law
Entry into Force: N/A
Regulatory Authority: N/A
Overview: No data protection legislation for Haiti was identified.
Jamaica Data Protection Act, 2020
Entry into Force: Certain sections on 1 Dec 2021/2023
Regulatory Authority: Office of the Information Commissioner
Overview: The Act sets out the rights of data subjects, data protection standards, obligations of data controllers and enforcement provisions. The Act also establishes the Office of the Information Commissioner. The Act provides for a 2-year transitional period and the government also granted a 6-month grace period to allow data controllers to comply.
Montserrat Data Protection Law
Entry into Force: N/A
Regulatory Authority: N/A
Overview: No data protection legislation for Montserrat was identified. The Constitution provides for the fundamental rights and freedoms concerning the protection for the privacy of a person's home and other property.
Saint Kitts and Nevis Data Protection Act 2018
Entry into Force: by order in the Gazette
Regulatory Authority: Information Commissioner
Overview: The Act seeks to promote the protection of personal data processed by public and private bodies by specifying privacy and data protection principles, rights of data subjects, and certain obligations of data users and data processors.
Saint Lucia Privacy and Data Protection Act (Cap 8.18)
Entry into Force: Certain provisions in 2023
Regulatory Authority: Data Protection Commissioner
Overview: The Act provides for the protection of individuals in relation to personal data and regulates the processing of personal information by specifying the appointment of the Data Protection Commissioner, data protection principles, rights of data subjects, registration and obligations of data controllers, and PIA requirements.
Saint Vincent and the Grenadines Privacy Act, 2003
Entry into Force: by Order in the Gazette
Regulatory Authority: Privacy Commissioner
Overview: The Act provides for the promotion and protection of the privacy of individuals by regulating the processing of personal information by public authorities and provides certain rights to individuals relating to personal information.
Suriname Privacy and Personal Data Protection Bill (2020)
Entry into Force: N/A
Regulatory Authority: Data Protection Commissioner (Proposed)
Overview: There is currently no data protection law in Suriname. The current Bill seeks to impose legal obligation to handle that personal data responsibly by establishing an independent data protection authority, rights relating to individuals, and obligations of controllers and processors.
Trinidad and Tobago Data Protection Act, 2011
Revised Data Protection Bill in progress
Entry into Force: Certain provisions in 2012 and 2021.
Regulatory Authority: Office of the Information Commissioner
Overview: The Act provides for the protection of personal privacy and information, establishes an Office of the Information Commissioner, and provides for certain obligations concerning the protection of personal data by public and private entities
Turks and Caicos Islands Data Protection Law
Entry into Force: N/A
Regulatory Authority: N/A
Overview: No national data protection legislation for Turks and Caicos was identified. The Constitution provides for the fundamental rights and freedoms concerning the protection for the privacy of a person's home and other property.
DPO Caribbean provides a summary of key data protection and privacy legislative developments in select jurisdictions across the globe.
Personal Information Protection and Electronic Documents Act, 2000
Bill to enact the Consumer Privacy Protection Act
Regulatory Authority: Office of the Privacy Commissioner
Overview: The PIPEDA seeks to support and promote electronic commerce by protecting personal information that is processed in certain circumstances.
Regulation (EU) 2016/679 (General Data Protection Regulation)
Regulatory Authority: Competent Supervisory Authority
Overview: Repeals directive Directive 95/46/EC and seeks to continue to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.
Ghana Data Protection Act, 2012
Regulatory Authority: Data Protection Commission
Overview: The Act establishes the Data Protection Commission and makes provision for the regulation of the processing of personal data, the principles of data protection, the rights of data subjects, obligations of data controllers and data processors, and registration requirements.
Kenya Data Protection Act, 2019
Regulatory Authority: Data Protection Commissioner
Overview: The Act establishes the Office of the Data Protection Commissioner and makes provision for the regulation of the processing of personal data, the rights of data subjects and obligations of data controllers and data processors including registration.
Singapore Personal Data Protection Act, 2012
Regulatory Authority: Personal Data Protection Commission
Overview: The Act governs the processing of personal data by organisations, establishes the Do Not Call (DNC) Registry, and designates the Info‑communications Media Development Authority as the regulator.
The latest amendments took effect in phases from 1 February, 2021.
The UK's Data Protection Act 2018
Regulatory Authority: Information Commissioner Office, UK
Overview: The Data Protection Act reflects the UK's implementation of the EU General Data Protection Regulation (GDPR). The Act regulates the processing of personal information relating to individuals used by organisations, businesses and the government.
The information provided on this page is based on publicly available information (last updated January 2024). DPO Caribbean is not responsible for the availability or accessibility of third party websites or the accuracy or completeness of information therein.
Copyright © 2025 DPO Caribbean - All Rights Reserved.