Resources
On May 2023, Grenada enacted the Data Protection Act, No. 1 of 2023 (GDPA), establishing a comprehensive legal framework for the protection of personal data. This legislation seeks to promote transparency, accountability, and security in the processing of personal information by both public and private entities. By ensuring that individuals’ data is handled lawfully, the Act enhances privacy rights while setting clear obligations for organisations that process personal data. The GDPA applies to any organisation or individual involved in processing personal data within Grenada, particularly in the context of commercial transactions. Uniquely, the Act defines a data subject as including both individuals and legal entities, meaning that businesses and organisations also benefit from its protections. This broad scope ensures that both personal and corporate data are safeguarded under the legislation.
At the heart of the Act are several fundamental data protection principles that govern how personal information must be handled. Organisations are required to obtain explicit consent before processing data, ensure that personal data is collected for a specific and legitimate purpose, and avoid disclosing information for purposes other than those originally agreed upon. Additionally, organisations must implement robust security measures to protect against unauthorised access, loss, or destruction of data. The Act also places a strong emphasis on data accuracy, requiring that all personal information be kept up to date and corrected where necessary. Furthermore, personal data must not be retained for longer than necessary and should be securely deleted once it is no longer required.
To ensure that individuals have control over their personal information, the Act grants data subjects several key rights. These include the right to access their personal data, the right to correct inaccurate information, and the right to request the deletion of their personal data under certain circumstances (commonly known as the "right to be forgotten"). Data subjects also have the right to restrict or object to processing, particularly in cases of direct marketing, and can request data portability, allowing them to transfer their personal data to another service provider.
To oversee compliance with the legislation, the GDPA establishes an Information Commission, comprising three commissioners appointed for renewable three-year terms. This body is responsible for investigating complaints, promoting public awareness of data protection rights, and ensuring that organisations adhere to the law. The Information Commission also has the authority to issue enforcement notices and impose penalties for non-compliance. Organisations and their senior leadership are expected to take responsibility for data protection compliance, as failure to do so could result in significant fines and legal consequences. The Act places accountability on corporate leaders, meaning they must ensure that their organisations fully comply with data protection requirements to avoid personal liability.
One notable omission in the GDPA is the lack of specific mechanisms for the international transfer of personal data. This means that when personal information is transferred outside Grenada, there are no legal assurances that it will receive the same level of protection as under the GDPA. This absence presents a challenge for organisations engaging in cross-border data transfers, as additional safeguards may be necessary to maintain compliance with international privacy standards.
