What is AI regulation in Barbados?
AI regulation: countries and regions
Barbados has no dedicated artificial intelligence law or published national AI strategy. AI is governed indirectly, mainly through the Data Protection Act, 2019-29, which is modelled on the EU and UK approach and is enforced by a Data Protection Commissioner. The government has signalled AI ambition through skills initiatives and ministerial statements, and operates within a CARICOM regional digital agenda, but no AI-specific statute, regulator or risk classification exists yet.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no single law in Barbados that says "this is how AI must be built or used." If you deploy AI in Barbados today, you are not regulated by an AI-specific rulebook. Instead, you fall under general laws that happen to touch AI, the most important of which is the Data Protection Act, 2019-29. That Act regulates how personal data is collected, processed and shared. Because most useful AI systems run on personal data, the Act effectively governs a large part of what AI does in practice: profiling, automated decisions, marketing, and the transfer of data abroad. It is closely modelled on the EU General Data Protection Regulation and the UK approach, so organisations familiar with those regimes will recognise the structure. Beyond data protection, Barbados has shown clear policy interest in AI through ministerial statements, public lectures and skills programmes, and it participates in a CARICOM regional push toward a harmonised digital space. These are direction-setting moves, not binding AI law. The honest position is that AI governance in Barbados is emerging rather than established.
Why it matters
For organisations deploying or governing AI, the absence of a dedicated AI law does not mean an absence of legal exposure. The Data Protection Act applies to AI that processes personal data, and it carries real duties: lawful and transparent processing, breach notification within 72 hours, rules on international transfers, and provisions touching automated processing. Failing to treat AI as a data-processing activity is a common and costly mistake. It also matters because the regime is in motion. A country with a functioning data protection regulator, active ministerial interest and CARICOM membership is more likely to add AI-specific rules over time. Leaders who build governance now, mapped to durable principles rather than to a specific statute, will adapt more cheaply when formal AI rules arrive. The practical stakes are compliance risk today under data protection law, and readiness risk tomorrow under whatever AI framework emerges.
How it works
The Data Protection Act, 2019-29 as the central instrument
The Act was passed in 2019 and largely came into force on 31 March 2021, with some provisions, notably the registration of data controllers and processors, brought in separately. It regulates the collection, keeping, processing, use and dissemination of personal data and protects individual privacy. It is modelled on the EU GDPR and shares much of the UK approach, including familiar concepts such as data controller, data processor, data subject and sensitive personal data. It has extraterritorial reach: controllers and processors outside Barbados are caught when they process the personal data of people in Barbados in connection with offering goods or services to them.
Duties that bear directly on AI
Several duties under the Act apply naturally to AI systems. Processing must be lawful, fair and transparent. Data subjects have rights including access, rectification, erasure, restriction and data portability. Controllers must notify the regulator of a personal data breach, generally within 72 hours where there is a risk to individuals. International data transfers are permitted only where there is adequate protection or appropriate safeguards such as binding corporate rules or standard contractual clauses. The Act also addresses impact assessment style obligations, which map onto the kind of risk review expected before deploying higher-risk AI.
The regulator: the Data Protection Commissioner and Commission
Enforcement sits with the Data Protection Commissioner, supported by the Data Protection Commission, housed within the Ministry of Industry, Innovation, Science and Technology. The first Commissioner, Ms Lisa Greaves, was appointed with effect from 15 July 2021. The Commission administers the regulatory framework for personal data, handles registration of controllers and processors, promotes public awareness of data rights and risks, and investigates breaches. It is a data protection authority, not an AI regulator, but it is the body most likely to scrutinise AI that handles personal data.
Policy signals and skills, not binding AI rules
Barbados has produced AI-relevant policy signalling rather than legislation. The Central Bank of Barbados hosted a memorial lecture on AI policy preparedness, government ministers have publicly urged strategic action on AI and digital transformation, and GovTech Barbados announced a partnership to build a national AI ecosystem including a university hackathon. These build capability and intent. None of them creates an enforceable AI duty.
The CARICOM and regional layer
Barbados sits inside CARICOM, which is pursuing a Single ICT Space and a regional digital agenda intended to harmonise ICT policy, legislation, standards and practice. AI has been raised at the regional level as something needing a coordinated response, including proposals for round-table discussion. UNESCO has also promoted an AI policy roadmap and ethics recommendation across the Caribbean. This regional layer is influential context and a likely future source of harmonised rules, but it is not in itself binding Barbadian AI law.
Examples
A Barbadian bank deploys an AI model to score loan applications. There is no AI statute to comply with, but because the model processes personal data and produces decisions about individuals, the Data Protection Act applies. The bank must ensure lawful and transparent processing, support data subject rights, and assess risk before deployment. A company outside Barbados offers an AI-driven service to consumers in Barbados. Even though it has no Barbadian establishment, the Act's extraterritorial scope can apply because it processes the personal data of people in Barbados in connection with offering them services. The provider must consider Barbadian data protection duties, including transfer safeguards when moving data abroad. A government agency pilots an AI tool as part of digital transformation work. The deployment is shaped by the Data Protection Act and by the agency's own duties, and is informed by CARICOM digital agenda direction and skills partnerships, rather than by any AI-specific compliance regime, which does not yet exist.
Common misunderstandings
Barbados has an AI law. It does not. There is no dedicated AI statute, bill or AI-specific regulator at the time of writing. AI is unregulated in Barbados, so anything goes. Incorrect. AI that processes personal data is governed by the Data Protection Act, 2019-29, with a Commissioner who can investigate and enforce. The Data Protection Commissioner is an AI regulator. The Commissioner enforces data protection law. AI falls within that remit only to the extent it involves personal data; the office is not an AI authority. Barbados has a published national AI strategy. As far as official and high-quality sources show, it does not. There are ministerial statements, skills initiatives and regional engagement, but no published national AI strategy document. CARICOM rules already bind AI use in Barbados. The CARICOM Single ICT Space and digital agenda set regional direction and aspire to harmonisation, but they are not a binding AI rulebook for Barbadian deployers.
Risks and boundaries
The main boundary is honesty about what exists. Barbados has data protection law and a data protection regulator; it does not have a dedicated AI law, an AI regulator, a statutory risk classification for AI, or a published national AI strategy. Anyone claiming otherwise is overstating the position. The legal status of some matters is genuinely uncertain or in motion. Parts of the Data Protection Act relating to controller and processor registration were proclaimed separately from the main commencement, so the precise live status of registration duties should be confirmed with the Commission before relying on it. AI-specific rules could emerge nationally or through CARICOM, but no firm instrument, date or institution is confirmed by the sources, so none should be assumed. This article explains the regulatory landscape; it is not legal advice. Organisations with material exposure should verify current effective dates and registration requirements directly with the Data Protection Commission and take qualified local advice.
What to do next
Treat your AI as a data-processing activity first. If your AI touches personal data of people in Barbados, map it to the Data Protection Act: lawful basis, transparency, data subject rights, breach notification, and transfer safeguards. Confirm the current status of controller and processor registration with the Data Protection Commission. Build governance against durable principles rather than a specific statute, since the framework is emerging. Run a documented risk assessment before deploying higher-risk AI, keep records of how models use personal data, and assign clear internal ownership. Watch CARICOM digital agenda developments and government statements for the earliest signs of AI-specific rules, and design your controls so they can absorb a future AI framework without a rebuild.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Barbados have a dedicated AI law?
No. There is no AI-specific statute or bill in force. AI is governed indirectly, primarily through the Data Protection Act, 2019-29.
Who regulates AI in Barbados?
There is no AI regulator. The closest relevant authority is the Data Protection Commissioner and Commission, which enforce data protection law where AI processes personal data.
What is the main law that affects AI?
The Data Protection Act, 2019-29, modelled on the EU GDPR and aligned with the UK approach, which governs how personal data is collected, processed and transferred.
Does Barbados have a national AI strategy?
Official and high-quality sources do not show a published national AI strategy. There are ministerial statements, skills initiatives and regional engagement, but no formal strategy document.
Does the law apply to companies outside Barbados?
It can. The Data Protection Act has extraterritorial reach where an outside controller or processor handles the personal data of people in Barbados in connection with offering goods or services to them.
What about CARICOM and regional AI rules?
CARICOM is pursuing a Single ICT Space and digital agenda, and AI has been raised regionally. This is direction-setting context, not binding AI law for Barbados.
Is there a breach notification duty relevant to AI systems?
Yes. Under the Data Protection Act, a notifiable personal data breach must generally be reported to the Commission within 72 hours where it risks individuals' rights and freedoms.
What should an organisation do first?
Map any AI that uses personal data to the Data Protection Act, confirm registration status with the Commission, document a risk assessment, and build governance that can adapt to future AI rules.