On November 11, 2025, the Data Protection Commissioner delivered a keynote address at a workshop organized by the International Association of Business Communicators (IABC) Barbados Chapter. Her speech highlighted the persistent challenges faced by organizations in Barbados and the wider Caribbean in effectively communicating data breaches. She emphasized that delays in disclosure, incomplete information, and softened facts during critical moments are eroding public trust and exposing individuals to unnecessary risks.
The Commissioner identified a broader regional issue: poor breach communication, limited preparedness, and the urgent need for robust incident response frameworks. She noted that many organizations mistakenly believe data breaches only occur through cyberattacks, overlooking the misuse of personal information within their systems. For instance, financial institutions often repurpose customer data for unrelated purposes without consent, a practice that could lead to severe public backlash and regulatory scrutiny if exposed.
A significant gap in breach management, she argued, is the lack of structured crisis communication strategies. Too often, breaches are treated as technical or legal issues rather than public trust events. Executives, driven by personal accountability, tend to issue premature statements that downplay the situation, leading to avoidable reputational damage. The Commissioner stressed that trained communicators, not CEOs or IT heads, should lead public updates to ensure accuracy, professionalism, and consistency.
She called for organizations to adopt a disciplined approach to breach response, starting with a factual holding message that acknowledges the incident, confirms containment efforts, and commits to updates as verified information becomes available. This approach, she noted, is crucial for maintaining public trust.
To strengthen breach readiness, the Commissioner urged organizations to develop comprehensive response plans that outline immediate actions, internal notifications, and regulatory obligations. Clear internal coordination among IT, legal, compliance, HR, and communications teams is essential to avoid panic and inconsistent messaging. Additionally, organizations must prioritize supporting affected individuals by providing clear instructions, reassurance, and timely updates.
The Commissioner’s remarks serve as a wake-up call for Caribbean organizations to rethink their handling of personal information and their response to breaches. She challenged executives to answer three critical questions: Who speaks first during a breach? What is communicated in the first six hours? Who verifies facts before release? Organizations that fail to address these questions, she warned, are unprepared for the inevitable.
Ultimately, the Commissioner emphasized that a breach is not just a technical incident but a test of an organization’s maturity, preparedness, and respect for the trust placed in it. By prioritizing transparency, disciplined communication, and public interest, organizations can rebuild trust and demonstrate their commitment to protection over concealment.