When I first heard about the General Data Protection Regulation (GDPR), I did not receive it warmly. From the perspective of someone working inside a financial institution, the idea that a customer could ask for personal data to be removed sounded unrealistic. Banks are not casual data collectors. They operate under strict legal and regulatory duties that require them to identify customers, verify source information and retain records for compliance and investigative purposes.
In Jamaica, that obligation is reinforced by the Proceeds of Crime Act and the Proceeds of Crime (Money Laundering Prevention) Regulations (AML), which require financial institutions to keep customer identification records, transaction records and related business correspondence. Those obligations reflect wider global standards promoted by the Financial Action Task Force (FATF) and enforced through domestic supervisory frameworks that include the Bank of Jamaica and other competent authorities.
At first glance, GDPR and Jamaica’s Data Protection Act, 2020 can seem to pull in the opposite direction. Privacy law speaks the language of data minimisation, purpose limitation and, in some cases, erasure. AML law speaks the language of customer due diligence, retention and audit trails. One appears to say, collect less and delete sooner. The other says, verify more and keep it longer.
Over time, however, I came to see that the tension is not really a contradiction in law. Both GDPR and the Data Protection Act, 2020 allow personal data to be retained where processing is necessary to comply with a legal obligation. The real challenge is architectural. Engineers inside banks must design systems that can satisfy both regimes at once.
That means building data environments that can retain records required for AML compliance while also enforcing strict access controls, clear retention schedules, auditability and protection against misuse. It also means being more deliberate about what is collected in the first place.
What initially felt like an impossible compliance burden now looks more like a design problem. For financial institutions in Jamaica and elsewhere, the future will belong to systems that can reconcile GDPR-style privacy expectations with AML record-keeping obligations without compromising either. These pressures are beginning to reshape the infrastructure that financial institutions depend on, a broader shift explored in Why Data Protection Is Reshaping Financial Systems.