What We Do
Three disciplines.
One coherent practice.
We do not offer a menu of services. We offer counsel — applied across three disciplines that are, in practice, inseparable. The organisations that engage us understand that data protection, AI governance, and accountability are not separate workstreams. They are facets of the same governance challenge.
01
Discipline One
Data Protection
& Privacy
Data protection law in the Caribbean is no longer aspirational. It is in force, actively enforced in some jurisdictions, and expanding. The question is not whether your organisation needs to comply — it is whether your compliance programme is built to last, or built to look like it is.
The Caribbean data protection landscape is distinct. Trinidad and Tobago's Data Protection Act, Jamaica's Data Protection Act 2020, Barbados's Data Protection Act (Cap. 308D), the Cayman Islands Data Protection Law, and Bermuda's Personal Information Protection Act each carry their own requirements, definitions, and enforcement expectations. Organisations that apply a single GDPR template across multiple jurisdictions are not compliant — they are exposed.
We bring something rare to this market: direct experience drafting the legislation itself. Our founder was project lead on the passage of T&T's Data Protection Act and contributed to ITU model legislation on data protection and freedom of information across the Caribbean. That history means we do not interpret the law from the outside — we understand the intent behind it.
Our advisory spans the full lifecycle of a data protection programme — from initial gap assessments and compliance architecture through ongoing DPO-as-a-Service retainers, breach response, regulatory engagement, and board reporting. We work with organisations as a genuine extension of their governance structure, not as an external auditor who surfaces problems and moves on.
DPO as a Service
We serve as External Data Protection Officer across single and multi-jurisdictional mandates — providing board-level reporting, regulatory liaison, staff training, and the institutional knowledge that comes from deep, ongoing engagement rather than periodic reviews.
Compliance Programme Design
Compliance that survives contact with reality is built on sound architecture — policies, procedures, data inventories, vendor management frameworks, and governance structures that reflect how the organisation actually operates, not how it wishes it did.
Breach Response & Management
When a breach occurs, the quality of your response determines the regulatory and reputational outcome. We provide immediate advisory, notification assessment, regulatory liaison, and post-incident documentation across all relevant jurisdictions simultaneously where needed.
Data Subject Rights
Operationalising data subject rights — access, correction, deletion, portability, objection — requires more than a form on a website. We design and implement the workflows, escalation paths, and response frameworks needed to honour rights systematically and defensibly.
Regulatory Engagement
Navigating enquiries, investigations, and correspondence with data protection authorities requires advisors who understand both the law and the institutional culture of the regulator. We provide advisory and representation support across Caribbean jurisdictions.
Impact Assessment & Due Diligence
Data Protection Impact Assessments, vendor due diligence reviews, and third-party data processing assessments — conducted rigorously and documented in a form that withstands regulatory scrutiny.
For organisations building sustainable compliance programmes, we also offer access to Assura — a GRC platform designed specifically for Caribbean organisations. Assura provides structured workflows for data inventories, DPIA management, DSR processing, breach tracking, and vendor management. Ask us about Assura →
Ready to discuss what a data protection programme built for your organisation actually looks like?
Schedule a Consultation02
Discipline Two
AI Governance
Artificial intelligence is already inside your organisation. The question facing boards and senior leadership is not whether to govern it — it is whether the governance structures in place are adequate for the decisions being made and the risks being assumed.
The deployment of AI in Caribbean organisations — in financial services, insurance, healthcare, public administration, and HR — has outpaced the governance frameworks meant to oversee it. Decisions that affect whether someone receives credit, insurance, employment, or public services are increasingly made or influenced by algorithmic systems. Those systems carry real accountability implications, and the organisations deploying them carry real liability.
AI governance is not primarily a technology problem. It is a governance and accountability problem. It requires understanding what the system does, what data it uses, what decisions it influences, who is accountable when it fails, and how human oversight is preserved.
We help organisations build AI governance architecture from the ground up — or assess and strengthen what already exists. Our work is grounded in internationally recognised frameworks including the NIST AI Risk Management Framework, ISO 42001, and the OECD AI Principles, applied with an understanding of Caribbean regulatory context.
AI Governance Frameworks
We design and implement AI governance frameworks tailored to the organisation's risk profile, regulatory environment, and operational context — covering oversight structures, accountability assignments, documentation requirements, and escalation pathways.
Third-Party AI Assessment
When an organisation deploys a vendor's AI system, it does not shed accountability for the decisions that system influences. We conduct structured assessments evaluating transparency, data handling, decision logic, bias risk, and contractual accountability provisions.
Board & Executive Advisory
Boards are increasingly expected to exercise meaningful oversight of AI systems. We provide board-level briefings, governance committee advisory, and reporting frameworks that turn technical AI risk into the strategic and fiduciary language governance structures require.
AI Policy Development
Acceptable use policies, AI procurement policies, human oversight protocols, and incident response procedures — the policy infrastructure that operationalises governance principles and gives staff clear direction on how AI tools are to be used.
AI Risk Assessment
Structured risk assessments of AI systems in deployment — identifying data risks, decision-making risks, operational risks, and reputational exposures. Output is a documented assessment that supports both internal governance and external accountability.
Maturity Assessment
A structured evaluation of where the organisation's AI governance maturity currently sits — across transparency, accountability, human oversight, data governance, and risk management — with a prioritised roadmap for closing gaps.
Concerned about how your organisation is governing the AI systems it has already deployed?
Schedule a Consultation03
Discipline Three
AI, Ethics &
Human Rights
Compliance is the floor, not the ceiling. Organisations that deploy powerful technology at scale have obligations that extend beyond what any regulator currently requires. This discipline is for those who understand that distinction.
The deployment of AI systems in consequential domains — credit decisions, insurance underwriting, employment screening, public service delivery, law enforcement — raises questions that governance checklists do not resolve. Questions about fairness, dignity, power, and who bears the cost when automated systems fail the people they are supposed to serve.
This is not an abstract concern. It is a practical governance and reputational risk for organisations in this region. The Caribbean has a particular history with systems that distribute advantage unequally, and the communities most likely to be affected by poorly governed AI are often those with the least recourse.
Our advisory in this discipline draws on international human rights law, AI ethics scholarship, and direct experience in public sector governance and institutional accountability. It is grounded in practice rather than theory — we advise on concrete decisions, concrete systems, and the concrete governance structures needed to hold them accountable.
Human Rights Impact Assessment
A structured assessment of how an AI or data system may affect the rights of the people it touches — including rights to privacy, non-discrimination, due process, and dignity. Grounded in UN Guiding Principles and international human rights frameworks.
Responsible AI Advisory
Advisory on the design and deployment of AI systems that are fair, transparent, and accountable — covering bias assessment, explainability requirements, meaningful human oversight, and redress mechanisms for affected individuals.
Ethics Framework Development
We help organisations develop AI ethics frameworks that are substantive rather than performative — grounded in the organisation's actual context, the communities it serves, and the specific harms its systems could cause.
Institutional Transparency Advisory
Advisory on information governance, access to information obligations, and the design of transparency regimes for public and quasi-public institutions — drawing on direct experience in freedom of information administration and public sector governance.
Digital Policy Advisory
Advisory on the intersection of digital technology, governance, and public policy — including the political economy of AI adoption, digital rights frameworks, and the governance implications of national digital transformation programmes.
Board Briefings & Training
Tailored briefings for boards, audit committees, and senior leadership on the ethical and human rights dimensions of AI — building the institutional literacy needed to ask the right questions of those deploying and procuring AI systems.
Thinking about the ethical and rights-based dimensions of your organisation's technology decisions?
Schedule a ConsultationWork With Us
The organisations that engage us are already asking the right questions.
Our practice is built for organisations that have moved past the compliance checkbox and recognised that data, AI, and accountability are governance questions with real stakes. Let's talk.