Last Tuesday, November 11, 2025, the Data Protection Commissioner addressed a workshop hosted by the International Association of Business Communicators (IABC) Barbados Chapter. She warned that organisations in Barbados, across both public and private sectors, are still struggling to communicate data breaches effectively. Too many delay disclosure, soften the facts, or offer incomplete information at the very moment when clarity matters most.
Her remarks pointed to a wider regional problem of poor breach communication, limited preparedness, and an urgent need for stronger incident response frameworks. She stressed that this lack of transparency erodes public trust, exposes individuals to unnecessary risk, and reflects a deeper weakness in how institutions manage crises.
I will go a step further.
This problem exists partly because many business leaders believe the information collected belongs to the organisation, and therefore disclosure is optional. Some genuinely think that avoiding public acknowledgment protects the brand.
However, the real concern goes far deeper than ownership. Too many companies believe a data breach only occurs when the network is hacked. A breach also includes the misuse of personal information, and those incidents can be just as serious.
For example, consider a financial institution that collects detailed personal and financial information for a loan application, then quietly reuses that same data for unrelated purposes. The marketing team may use it to push insurance or investment products, HR or operations may share records internally because everyone is “inside the company”, and identification documents collected for verification may later be repurposed for analytics or profiling. None of this is disclosed to customers, and none of it is based on consent. If such a practice ever became public, it could trigger immediate public backlash and regulatory scrutiny, yet in many organisations this kind of internal data circulation happens every day without anyone realising it is a data breach.
In the Caribbean, we have focused so heavily on cyberattacks that we have forgotten the quieter, everyday breaches happening in plain sight.
The missing piece: Crisis communications
One of the most overlooked elements of breach management in the Caribbean is the absence of a structured crisis communications strategy. Too many organisations treat a breach as a technical failure that belongs solely to the IT department or a legal issue that should be managed behind closed doors. In reality, it is also a public trust event that must be handled with skill and emotional discipline.
When a breach occurs, executives often feel the impact personally. It happened under their watch, and the instinct is to reassure the public as quickly as possible. This usually leads to early statements that downplay the situation, offer comfort before facts are confirmed, or rely on assumptions that later prove incorrect. The result is avoidable reputational damage that overshadows the incident itself.
This is why trained communicators, not CEOs, CIOs, ministers, or heads of departments, should deliver the first public update. It is also why the Data Protection Commissioner chose to address the IABC, because crisis communication is a specialist skill that must sit at the centre of breach response. A proper communications lead will stick to verified facts, avoid speculation, and speak calmly and professionally while the investigation continues. Their role is to protect both the public and the organisation by ensuring that information shared is accurate, measured, and consistent.
In the early hours of a breach, information is incomplete. Systems may still be compromised, the scope of exfiltration may be unclear, and investigators are still determining what was breached. This is not the moment for emotional commentary or defensive statements. It is the moment for a disciplined, factual holding message that acknowledges the incident, confirms containment efforts, and commits to updates when verified information becomes available.
This approach is not about hiding information. It is about reassuring the public that the organisation they trusted is responding responsibly and with care. Once an organisation loses public trust, the technical recovery becomes the least of its problems.
Strengthening breach readiness in Caribbean organisations
If crisis communication is the missing piece, then breach readiness is the foundation it must rest on. Too many organisations discover, in the middle of an incident, that there is no internal playbook, no decision tree, no preassigned roles, and no clarity on who is responsible for what. This leads to unnecessary panic, duplicated efforts, and inconsistent messaging. Worse, it leaves affected individuals vulnerable while leadership struggles to organise a response.
A mature breach response plan should identify the first actions to take, the people who must be notified internally, and the steps required to contain and investigate the incident. It must also recognise that a breach triggers obligations under the law. Barbados requires notification to the Data Protection Commissioner within 72 hours of becoming aware of an incident, which means organisations cannot afford to improvise or delay.
Clear internal coordination is critical. IT leads must focus on containment and forensics. Legal and compliance teams must assess regulatory obligations. Human resources must prepare to support affected staff if employee data is involved. Communications must handle public messaging. When each team understands its role, the organisation can respond with confidence rather than confusion.
Just as important is the ability to support the individuals whose data has been compromised. A breach has real consequences for real people. They need clear instructions on how to protect themselves, reassurance that the organisation is taking the matter seriously, and updates as more information becomes available. Ignoring this responsibility or communicating poorly only deepens the harm.
The purpose of breach readiness is not operational perfection. Even the most secure institutions can fall victim to an incident. The purpose is to ensure that when the moment comes, the organisation acts responsibly, transparently, and with the public interest at heart.
What this means going forward
The Data Protection Commissioner’s warning should not be treated as a routine reminder from an authority figure. It is a call for organisations across Barbados and the wider Caribbean to rethink how they handle personal information and how they respond when something goes wrong.
Every Caribbean executive should be able to answer three questions today:
Who speaks first when a breach occurs?
What gets said in the first six hours?
Who verifies facts before they’re released?
If your organisation cannot answer these questions clearly, you are not prepared.
A breach is not only a technical incident. It is a moment that reveals an organisation’s maturity, its preparedness, and its respect for the people who place their trust in its hands. The organisations that will weather these moments are the ones that prepare early, communicate honestly, and keep people at the centre of their response. When leaders choose transparency and disciplined communication, they demonstrate that even in a crisis their priority is protection, not concealment. That commitment, more than any security measure, is what rebuilds trust.
The post Why CEOs should never be first to speak after a data breach appeared first on Barbados Today.