Reasons boards should care about the impending Data Protection Act
For those not interested in reading the entire article I have saved you the hassle:
1) The commissioner, once established, has the power to stop your business if your core business involves the processing of personal data and you are in contravention of the Act.
2) A simple data breach can lead to a class action, that up until now has not been a feature of our civil litigation, which exposes organisations to large fines.
3) The commissioner has the power to issue large fines that can significantly impact your business.
4) A contravention of certain provisions of the Act are criminal and attract custodial sentences.
5) Enforcement proceedings can be instigated by employees, customers, or any data subject whose personal data you process.
For those who want to know more, a joint select committee of the Jamaican Parliament has now completed reviewing all the recommendations and making all the amendments to the proposed Data Protection Act. According to the aggressive timetable set by Minister of Technology Fayval Williams, the ministry should have compiled the final report by January 2, 2020 and submitted it to her on the same day. Williams committed to complete reviewing the report by the following day and then circulate it to the rest of the committee on January 3, so it can be considered by the committee on January 8. This timetable is in keeping with the commitment given by the Government to have this Bill piloted through the Parliament in a timely manner.
Having observed how steadfastly the joint select committee worked on getting the Bill to this stage, there can hardly be any question if it will be enacted sooner than later. We must always be mindful, however, that there’s many a slip “twixt the cup and the lip”.
First things first, the Data Protection Bill, in its current form, provides for a one-year transition period. During this transition period, however, the administrative parts of the Bill are slated to be rolled out; that is the establishment and staffing of the commission. During this one-year period no proceedings under the Act will be taken against a data controller in respect of any data processing done in good faith. This is understandable as there would be no operational commission at the inception to initiate any type of proceedings under the Act. What it does mean is that at the end of the transition period the commission should be prepared to hit the ground running. While one year may seems like a long time, given the enormity of the impact the Act will have on day-to-day business operations, it may not be sufficient.
Having come to grips with the imminent passage of the Data Protection Bill, why should a board or executives concern themselves or, worse yet, incur any additional expenses as a result of it? This question may be raised especially in our national context, in which we do not have a culture of privacy nor do we take cybersecurity and data privacy very seriously. Unfortunately, common business practice may dictate that this is something the legal and/or IT teams can deal with without any budgetary or executive level support. Here are a few reasons this approach may not be sufficient.
As the law is currently proposed, where a data controller contravenes any of the data protection standards the commissioner may serve the data controller with a notice requiring the data controller, among other things, to refrain from processing any personal data. If your business is one whose core business relates to the processing of personal data this action by the commissioner can bring your business to a grinding halt.
Alternatively, the commissioner may serve a data controller with a fixed penalty notice (a fine) where he is satisfied that there has been a serious contravention of any provision of the Act, and it was of a kind likely to cause substantial distress, and the data controller knew or ought to have known that there was a risk that the contravention would occur, and that such contravention would be of a kind likely to cause substantial distress but failed to take reasonable steps to prevent the contravention. Set out in the included table are the top 10 fines that have been levied by supervisory authorities across Europe for last year. This table was compiled by the website Enforcement Tracker.
It is noteworthy that more than half of the violations related to “insufficient technical and organisation measure to ensure information security”. That would be akin to our data processing standards number seven. We can discern that what the companies were being sanctioned for was not necessarily a data breach, but the fact that they failed to put the appropriate technical and organisational measures to avoid a data breach. It is no longer prudent for businesses to be satisfied that they can access their business information, they must now ensure that the requisite governance structures and technical solutions are in place to ensure the confidentiality, integrity, and availability of the personal data. Our section 70, as the proposed Act is currently drafted, makes a body corporate liable to a fine not exceeding 10 per cent of the annual gross income of that body corporate for certain contraventions of the Act.
Also worth of note is the fact that a person who commits an offence under the Act, in addition to being fined, can also be imprisoned for up to five years.
Given the nature of data breaches, the Data Protection Act opens companies up to what are traditionally known in the United States as class actions. While we have always had the ability to bring representative actions, section 71 of the Data Protection Act provides that: An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage. An example of a data breach can be where a customer list containing customers’ personal data is stolen, lost, or accidentally disclosed or destroyed. The size of the customer list will determine the size of the class action, assuming the data subjects suffered some form of damage. Although the damages suffered by each data subject may be minimal, which would entitle them to nominal damages, the cumulative effect of the class action could be detrimental to a company. From time immemorial the legal profession has been accused of having ‘ambulance chasers’. With this new law attorneys may be incentivised to vigorously defend the privacy rights of data subjects.
Coincidentally, as I was writing this part of the article I received an e-mail from a company that was wishing their customers season’s greetings — a company I have never done business with before. This e-mail, however, was CC’d to at least 400 other people; in addition to the e-mail address, the full names were also disclosed. When I referenced the “nature of data breaches”, this is a good example of what I was talking about. Fortunately, or unfortunately, the e-mail was only forwarded to their customers with first names beginning with A to C. Under the proposed Data Protection Act this would be a data breach that would entitle all the individuals whose names and e-mail addresses were exposed to damages once they could establish they suffered some distress or damage.
Finally, an organisation — again, given our culture — may erroneously think that it can fly below the radar or the supervisory authority. The problem with this line of thinking is that an investigation by the commission can be instigated by a number of actors. Firstly, you have the data protection officer, who is obliged to advise the commission of a data breach where there is a risk to the privacy rights of data subjects and the organisation fails to take any, or any sufficient, corrective actions. Disgruntled employees can also make a report of any inappropriate activities or lack of proper safeguards. Most significantly, as well, all your customers — whose privacy rights you are responsible for safeguarding — can also lodge a complaint with the supervisory authority which can then lead to an investigation.
In light of the size of the fines, the power of the commissioner, the possibility of custodial sentences, and the ability of several actors to hold organisations accountable, boards can no longer afford to ignore IT departments who have been clamouring for budget allocations to implement information security solutions.
The script has now been flipped and the prudent board or executive team would now be the one pressuring their IT and legal departments to ensure the appropriate technical and organisational measures are in place to safeguard the privacy rights of customers and other data subjects.
Chukwuemeka Cameron is an attorney, trained data protection officer, and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Send comments to the Observer or ccameron@designprivacy.io.