Grenada’s Data Protection Act, 2023 has been assented to and formally published, but it is not yet in force — awaiting the signature of the responsible minister to bring it into operation via order in the Government Gazette.
That action could occur at any time. Yet even before the act is proclaimed, another legal development looms large over the financial sector: the Banking (Amendment) Bill, 2025.
Though withdrawn from Parliament at the last moment on 17 June, this bill is expected to return, and with it, a package of data protection-style obligations targeted squarely at Grenadian financial institutions.
A financial bill with a privacy backbone
The proposed Banking Bill is part of a harmonised Eastern Caribbean Currency Union (ECCU) effort to enhance market conduct regulation. But for banks and credit unions, its most consequential sections are the consumer protection rules that mirror — and in some cases, anticipate — the core duties of the not-yet-active Data Protection Act (DPA).
Under the proposed changes, financial institutions must:
- Protect non-public personal data of customers and disclose how it is collected, used, and shared
- Provide written privacy policies and limit data processing to disclosed purposes
- Notify both the Eastern Caribbean Central Bank (ECCB) and affected customers within 24 hours of a data breach
- Ensure all third parties or agents who handle personal data comply with confidentiality standards
- Facilitate customer access to, and correction of, their personal data
These requirements would be enforceable by the ECCB, independent of the Information Commission established under the Data Protection Act.
Two regimes, same compliance principles
Even though the DPA is not yet operational, its key principles already appear — almost verbatim — in the Banking Bill:
What this means for financial institutions is that compliance must begin now — not when the DPA is eventually commenced, and not when the Banking Bill is passed. The regulatory architecture is already visible, and institutions will soon face dual enforcement from the ECCB and the Information Commission.
Why preparation cannot wait
Once Parliament reintroduces and passes the Banking Bill, its provisions may take effect immediately upon assent — unlike the DPA, which remains dependent on ministerial proclamation. This makes the financial sector one of the first regulated environments in Grenada where data protection obligations will become legally binding.
In addition, once the DPA is commenced:
- Banks and credit unions will be classified as “data users” obligated to establish formal compliance procedures (Section 14)
- They will be subject to audit, complaints, and enforcement actions by the Information Commission (Parts V and VI)
- Offences such as the intentional disclosure of information and failure to protect data will attract criminal liability and fines of up to EC$200,000 or 2 years’ imprisonment (Section 39)
What financial institutions should do now
Given the high overlap between the 2 laws and the immediate applicability of the ECCB’s rules, Grenadian financial institutions should:
- Map all personal data collected or processed, especially in connection with customer onboarding, credit assessments, and mobile banking
- Review existing privacy notices, breach protocols, and third-party contracts for compliance gaps
- Develop or update data protection policies aligned with both the DPA and the ECCB’s expected Codes of Conduct
- Begin training staff across departments — not just legal and IT, but also front office, marketing, and operations
- Prepare to engage with 2 regulators: the ECCB on banking conduct, and the Information Commission on general privacy duties
Final thought: Privacy compliance starts now
Even before the Data Protection Act takes effect, Grenadian financial institutions are already facing a de facto privacy regime via the Banking (Amendment) Bill. Waiting for the minister’s order to begin compliance is no longer a viable strategy. The smarter move is to treat the act and the bill as mutually reinforcing mandates.
Compliance today is not just about avoiding penalties. It’s about positioning your institution as trustworthy, transparent, and competitive in a digital age where data is currency, and regulators are watching.