GDPR can feel like an EU issue, right up until a Jamaican business accepts European bookings, markets to EU customers, monitors website visitors from the European Economic Area, or processes data on behalf of an international client. At that point, compliance to GDPR becomes a commercial, legal and reputational priority.
The General Data Protection Regulation (GDPR) is one of the world’s most influential privacy laws. It applies directly across the EU and, in many cases, reaches businesses outside Europe. For organisations in Jamaica and the wider Caribbean, the practical question is not simply “Are we located in the EU?” It is “Do our activities bring us within the GDPR’s scope, and can we prove that we handle personal data lawfully, securely and transparently?”
This guide explains GDPR compliance as a step-by-step business process, with a focus on practical decisions that directors, compliance teams, legal departments and operational managers can act on.
Before you begin: does GDPR apply to your business?
Under Article 3 of the GDPR, the regulation may apply to organisations outside the EU where they offer goods or services to people in the EU or monitor their behaviour within the EU. The focus is on the location of the individual whose data is processed, not their nationality.
The European Data Protection Board has also published guidance on the GDPR’s territorial scope, which is useful for businesses assessing whether their EU-facing activity is more than incidental.
Business scenario | GDPR risk level | Why it matters |
A Jamaican hotel actively markets packages to EU residents and collects booking details online | High | The business may be offering services to people in the EU |
A software company in Jamaica processes customer data for an EU-based client | High | It may act as a processor for an EU controller |
An ecommerce site prices products in euros and ships to EU countries | High | EU targeting indicators may bring the business within GDPR scope |
A website receives occasional EU visitors but does not target them | Lower | Mere accessibility from the EU is not usually enough on its own |
A business uses analytics or advertising tools to track EU website users | Medium to high | Behavioural monitoring can trigger GDPR obligations |
If the GDPR applies, non-compliance can expose a business to regulatory action, contractual disputes, loss of customer trust and, in serious cases, administrative fines. GDPR penalties can reach up to €20 million or 4% of annual worldwide turnover, whichever is higher, depending on the infringement.
What compliance to GDPR really involves
GDPR compliance is not a single document or a one-off privacy notice. It is an operating model for collecting, using, storing, sharing and deleting personal data in a lawful and accountable way.
In practical terms, a compliant organisation should be able to show that it understands what personal data it holds, why it holds it, who has access to it, where it is transferred, how long it is retained and what happens if something goes wrong.
The GDPR is built around principles such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability. The final principle, accountability, is especially important because it requires evidence. A business must not only comply, it must be able to demonstrate compliance.
Step 1: Confirm your GDPR scope and role
Start by determining whether GDPR applies to all, part or none of your processing activities. Some organisations make the mistake of assuming that if one part of the business touches EU data, the entire business must be treated in the same way. Others make the opposite mistake and ignore GDPR because they are incorporated outside Europe.
A better approach is to examine specific activities. For example, your EU guest booking process may fall within scope, while a purely local HR process may be governed primarily by Jamaican law. If your business provides services to an EU company, your contractual processing for that client may be subject to GDPR even if your own local customer database is not.
You should also determine whether you are a controller, processor or joint controller for each activity. A controller decides why and how personal data is processed. A processor acts on behalf of a controller. Joint controllers jointly determine purposes and means. These distinctions affect your obligations, contracts, liability and documentation.
If a non-EU business is caught by Article 3(2), it may also need to appoint an EU representative under Article 27, unless an exemption applies. This is a point that should be reviewed carefully with legal counsel, particularly where EU-facing activity is regular or material.
Step 2: Map your personal data and data flows
You cannot manage what you have not mapped. A data mapping exercise identifies the personal data your organisation collects, the systems that store it, the people who use it, the vendors who receive it and the jurisdictions where it travels.
For many businesses, this step reveals hidden risk. Marketing teams may use customer relationship management platforms, cookies, email tools and social media audiences. Finance teams may share payment information with processors. HR teams may store employee records in cloud systems. Customer support teams may receive identity documents, complaints, health information or other sensitive details.
Your data map should cover core categories such as customer data, employee data, supplier data, website user data, payment data, complaint records and any special category data. Special category data includes information such as health data, biometric data used for identification, racial or ethnic origin, political opinions, religious beliefs and certain other sensitive information. Processing this type of data usually requires an additional condition under Article 9 of the GDPR.
A practical data map should answer these questions: what data is collected, where it comes from, why it is used, who can access it, who it is shared with, where it is stored, how long it is kept and what security measures apply.
Step 3: Identify the lawful basis for each processing activity
The GDPR requires a lawful basis for processing personal data. The six lawful bases under Article 6 are consent, contract, legal obligation, vital interests, public task and legitimate interests.
Businesses often overuse consent because it feels safe. In reality, consent under GDPR must be freely given, specific, informed and unambiguous. It must also be as easy to withdraw as it is to give. If a customer cannot realistically refuse, or if the processing is necessary to perform a contract, consent may not be the best basis.
For example, processing a guest’s name, contact details and payment information to complete a hotel booking may be based on contract. Sending optional marketing emails may require consent or another lawful basis depending on the context. Using customer data for fraud prevention may rely on legitimate interests, provided the organisation performs and documents a balancing assessment.
Do not select a lawful basis after the fact merely to justify existing practices. The lawful basis should be identified before processing begins and reflected in your privacy notice, internal records and operational procedures.
Step 4: Update privacy notices, consent and cookie practices
Transparency is one of the most visible parts of GDPR compliance. Individuals should be told, in clear language, what personal data you collect, why you collect it, the lawful basis relied on, who you share it with, how long it is retained, what rights they have and how they can complain.
A privacy notice should be specific to your actual business operations. Copying a generic notice from another website is risky because it may describe practices you do not follow or omit practices that you do. Regulators, customers and business partners increasingly expect privacy notices to match reality.
Cookie and tracking practices also require attention. If your website uses analytics, advertising pixels, behavioural tracking or similar tools for EU users, you may need a consent mechanism that works alongside GDPR and applicable EU cookie rules. Pre-ticked boxes, bundled consent and vague “by continuing to browse” language are common weak points.
For consent-based processing, keep evidence of when, how and for what purpose consent was obtained. Also ensure that withdrawal is practical. A customer should not have to call, write a letter or navigate unnecessary obstacles to unsubscribe from marketing communications.
Step 5: Build a process for data subject rights
GDPR gives individuals several rights over their personal data. These include the right of access, rectification, erasure, restriction, portability, objection and rights relating to certain automated decisions.
A business needs more than an email address for privacy requests. It needs a workflow. Staff should know how to recognise a request, verify identity where appropriate, escalate it internally, search relevant systems, apply exemptions where legally justified and respond within the required timeframe.
The standard response period is one month, although it can be extended in certain circumstances for complex or numerous requests. If your organisation operates across GDPR and Jamaica’s Data Protection Act, 2020, the response process should be designed to manage both regimes without confusion.
Good rights management also depends on good records. If you do not know where personal data sits, responding to an access or deletion request becomes slow, inconsistent and risky.
Step 6: Review vendor, customer and partner contracts
Many GDPR failures occur through third parties. Cloud platforms, payment processors, marketing agencies, IT support providers, logistics partners, booking engines and outsourced service providers may all handle personal data.
If a vendor processes personal data on your behalf, GDPR Article 28 requires a written processor contract with specific terms. These typically address documented instructions, confidentiality, security, subprocessors, assistance with data subject rights, breach support, deletion or return of data and audit rights.
If your business processes data for an EU client, expect that client to require GDPR-compliant processor terms, security commitments, breach notification duties and evidence of your privacy governance. This is not merely a legal issue. It can affect whether your business wins or retains international contracts.
Contract review should also cover data ownership, permitted use, audit cooperation, liability allocation, indemnities, subcontracting and termination obligations. Privacy terms should be aligned with the operational reality of the service, not treated as boilerplate at the end of the agreement.
Step 7: Manage international data transfers properly
For Jamaican businesses, international data transfers are often central to GDPR compliance. If personal data moves from the EEA to Jamaica, the United States or another country outside the EEA, GDPR transfer rules may apply.
Where there is no EU adequacy decision covering the destination country, organisations usually need an appropriate transfer mechanism. The most common mechanism is the European Commission’s Standard Contractual Clauses. In many cases, businesses must also assess whether the laws and practices of the destination country affect the protection promised by those clauses.
This is a common issue for Caribbean organisations using global cloud platforms or serving EU clients. It is not enough to say “our provider is reputable” or “the data is in the cloud.” You need to know where data is stored, whether support teams can access it from other jurisdictions and what contractual safeguards apply.
Transfer compliance should be built into procurement. Before onboarding a vendor or signing a client contract, confirm the data locations, transfer tools, security controls and documentation needed to support the relationship.
Step 8: Strengthen security and breach response
GDPR does not prescribe one universal security standard for every business. Instead, Article 32 requires appropriate technical and organisational measures based on risk. Measures may include encryption, pseudonymisation, access controls, backups, testing, incident response procedures and the ability to restore availability after an incident.
Security is not only an IT issue. It involves HR onboarding, access termination, vendor management, staff training, document handling, physical security and senior management oversight. A strong password policy means little if former staff retain access to systems, or if sensitive files are routinely shared through unsecured channels.
GDPR also has strict breach notification rules. A personal data breach must be reported to the relevant supervisory authority within 72 hours where it is likely to result in a risk to individuals’ rights and freedoms. If the risk is high, affected individuals may also need to be informed without undue delay.
A breach response plan should set out who investigates, who decides whether notification is required, who communicates with regulators, who handles affected customers and how evidence is preserved. The plan should be tested before a real incident occurs.
Step 9: Create governance, records and accountability evidence
GDPR compliance should be documented. Regulators and business partners often ask not only what your policy says, but what evidence you can produce.
Key accountability records may include:
A record of processing activities
Data protection impact assessments for high-risk processing
Legitimate interests assessments where relevant
Privacy notices and consent records
Processor agreements and transfer documentation
Security policies and incident logs
Training records and internal procedures
Retention schedules and deletion records
Some organisations must appoint a Data Protection Officer under GDPR, such as where core activities involve large-scale regular and systematic monitoring or large-scale processing of special category data. Even where a formal DPO is not legally required, assigning clear responsibility for privacy governance is essential.
High-risk projects should be reviewed through a data protection impact assessment before launch. Examples may include new surveillance tools, large-scale profiling, sensitive data processing, AI-assisted decision-making or systems that combine multiple data sources in ways individuals may not expect.
GDPR and Jamaica’s Data Protection Act: why alignment matters
Jamaican businesses should not treat GDPR in isolation. Jamaica’s Office of the Information Commissioner oversees the local data protection framework under the Data Protection Act, 2020. While GDPR and Jamaican data protection law are not identical, they share important privacy concepts, including fairness, transparency, security, purpose limitation and individual rights.
Aligning your GDPR work with local data protection obligations can reduce duplication and create a more consistent compliance programme. This is especially important for organisations that handle both local personal data and EU-related personal data.
Compliance area | GDPR focus | Practical point for Jamaican businesses |
Scope | May apply outside the EU when EU individuals are targeted or monitored | Do not assume location in Jamaica removes GDPR risk |
Transparency | Detailed privacy information under Articles 13 and 14 | Use notices that accurately reflect actual data practices |
Accountability | Evidence-based compliance | Keep records that can support both regulatory and contractual reviews |
Security | Risk-based technical and organisational measures | Link privacy compliance with cybersecurity and vendor controls |
Transfers | Restrictions on transfers outside the EEA | Review EEA-to-Jamaica and cloud-based transfers carefully |
Individual rights | Access, erasure, objection, portability and other rights | Build a unified process for handling privacy requests |
If your organisation is already preparing for or maintaining compliance under Jamaica’s Data Protection Act, that work can provide a strong foundation. However, GDPR may require additional steps, particularly in relation to EU-facing transparency, lawful bases, processor contracts, international transfers and EU representative obligations.
Common GDPR compliance mistakes to avoid
The most common mistake is treating GDPR as a paperwork exercise. A privacy policy alone will not protect a business if the underlying processes are inconsistent, excessive or insecure.
Another mistake is ignoring marketing and analytics. Many organisations focus on customer contracts and databases but overlook cookies, advertising pixels, email lists and profiling tools. These activities can create GDPR obligations even where the core business seems low risk.
A third mistake is failing to involve the right teams. Legal, IT, marketing, HR, procurement, finance and operations may all process personal data in different ways. GDPR compliance is strongest when each team understands its role and when leadership treats privacy as part of risk management, not merely an administrative task.
Finally, businesses should avoid waiting for a breach, customer complaint or client audit before acting. GDPR compliance is easier, less expensive and more credible when it is built before a crisis.
Frequently Asked Questions
Does GDPR apply to a Jamaican company with no EU office? Yes, it can. If the company offers goods or services to people in the EU or monitors their behaviour in the EU, GDPR may apply even without an EU office.
Is GDPR only about EU citizens? No. GDPR protects individuals who are in the EU or EEA in relevant circumstances. The person’s nationality is not the central test.
Do we need consent for all personal data processing? No. Consent is only one lawful basis. Depending on the activity, contract, legal obligation or legitimate interests may be more appropriate. The correct basis should be identified before processing begins.
What is the biggest GDPR issue for Caribbean businesses? International data transfers are often a major issue, especially when EEA personal data is sent to Jamaica or processed through global cloud service providers. Vendor contracts and transfer safeguards should be reviewed carefully.
How often should GDPR compliance be reviewed? At least annually, and whenever there is a major change in systems, vendors, marketing practices, data use, business model or jurisdictions served.
Can GDPR compliance support Jamaica Data Protection Act compliance? Yes. The two regimes are not identical, but many governance steps overlap. A coordinated privacy programme can help reduce duplication and strengthen overall compliance.
Get practical legal support for GDPR and data privacy compliance
Compliance to GDPR is not just about avoiding penalties. It is about building trust, protecting commercial relationships and ensuring that personal data is handled with the level of care modern business requires.
Henlin Gibson Henlin advises clients on data privacy, compliance and risk law, with a client-focused approach to practical legal solutions. If your organisation handles EU-related personal data, processes information for international clients or wants to align privacy governance with Jamaican legal obligations, experienced legal guidance can help you assess risk and take the right next steps.
To discuss your organisation’s privacy and compliance needs, visit Henlin Gibson Henlin. If you are still evaluating external counsel, you may also find our guide on how to choose data protection law firms useful.
This article is for general information only and does not constitute legal advice. Specific GDPR obligations should be assessed based on your organisation’s facts, contracts, jurisdictions and data processing activities.