Barbados DPA

Data Protection Act, 2019-29

Flag of BB
BarbadosOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
March 31, 2021
Enacted
January 1, 2019
Enforcing Authority
Data Protection Commissioner
Consent Model
Opt-in
Applies To
Any entity processing personal data within Barbados or of Barbadian residents

Overview

Barbados's Data Protection Act requires registration with the Data Protection Commissioner before processing personal data and mandates breach notification within 72 hours (GDPR-aligned). Penalties range from BD $10,000 to $500,000 with criminal sanctions.

What This Means for Your Website

  • Consent with ethical and transparent processing is required for Barbadian visitors
  • Registration with the Data Protection Commissioner is required before processing
  • Breach notification must occur within 72 hours where feasible
  • Penalties range widely from BD $10,000 to $500,000
  • Criminal sanctions of 2 months to 3 years imprisonment apply

Key Requirements

The Data Protection Commissioner investigates complaints, issues guidance and enforcement notices, and imposes penalties. Registration before processing is mandatory. The 72-hour breach notification aligns with GDPR standards. DPIAs are required for high-risk processing.

How ConsentStack Handles This

ConsentStack applies ethical and transparent consent for Barbadian visitors, supporting compliance with the DPA's registration and processing requirements.

Penalties

BD $10,000-$500,000. Imprisonment: 2 months to 3 years.

Maximum Fine
BBD500,000 per violation

Key Requirements

  • Consent with ethical and transparent processing
  • Mandatory breach notification within 72 hours
  • Register with the Data Protection Commissioner before processing
  • Data subject rights: access, correction, deletion, portability
  • Security safeguards appropriate to data sensitivity
  • Data Protection Impact Assessments for high-risk processing

Notable Provisions

  • 72-hour breach notification — GDPR-aligned
  • Registration required before processing
  • Wide penalty range (BD $10,000-$500,000)
  • Criminal sanctions (2 months to 3 years)

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.

Frequently Asked Questions

Does Barbados require registration before processing?

Yes. Organizations must register with the Data Protection Commissioner before processing personal data in Barbados.

What is Barbados's breach notification requirement?

72 hours where feasible — aligned with GDPR standards.

What are the penalties in Barbados?

BD $10,000-$500,000 in fines plus criminal sanctions of 2 months to 3 years imprisonment.

Stay compliant with Barbados DPA

ConsentStack helps you implement Opt-in consent for Barbados automatically.

Get started free