With cybersecurity attacks on the rise in the Caribbean, many leaders wonder how they can best protect their organisations from malicious actors. Although it’s easy to picture black hat hackers randomly targeting your business, improving your internal procedures can prevent data breaches. According to a 2020 report, data phishing attacks alone cause 90 per cent of data breaches.

Given increasing regulation around data protection and privacy, such as the Data Protection Act of 2020 enacted in Jamaica, businesses should consider implementing or reviewing existing privacy policies to protect themselves from cybersecurity attacks.

What is a privacy policy?

A privacy policy is a legal document outlining how your organisation gathers, uses, shares, discloses, disposes of and manages the information you receive from parties for commercial purposes. It should share all the key “W’s” of personal data — the what, why, when, where and how of collecting a customer’s information. While businesses need to collect information to do their work, individuals have a right to know about the full spectrum of its use.

Before establishing your organisation’s privacy policy, you should consider if you already have one. While best practice is to have a separate document outlining your privacy policy, you may already have terms in contracts or service agreements that can be used in the new framework.

What should your privacy policy include?

Typically, you should consult with legal advisors and cybersecurity advisors to build your privacy policy. But as you consider the critical components of your privacy policy, you can look to the privacy acts already in place across many regions in the Caribbean.

Jamaica’s Data Protection Act, while not in effect until 2022, is expected to be influential in the Caribbean region. It’s considered an effective and comprehensive privacy law, drawing heavily from the EU’s GDPR laws.

Few companies enjoy writing privacy policies. But it can be an underrated opportunity to enhance goodwill with your customers. Consider the following components of private policies that can help win customers over:

Precisely defined scopes — Be specific about what you are collecting and what other organisations you share it with. It may be the law where you are. For example, Barbados’ Data Protection Act has several restrictions on sharing data with organisations outside of the country.

Clear language — Many people reading your privacy policy won’t have a security or legal services background. Make it easy to read by providing definitions for any uncommon terms, using headings to split it up, linking to any relevant sources and writing in short, scannable paragraphs.

Personalisation — Give your customers options to customise permissions for their data to be collected, used and shared. When possible, be descriptive about how your organisation uses the information — avoiding generic terms.

Considerations of your country’s privacy laws — While US federal privacy laws have many consistencies across the Caribbean, some critical differences exist across different jurisdictions. Ensure that you consider the areas in which your business operates and where your customers live and how that may impact the privacy policy you need to build.

Accountability and openness — Make sure it’s easy for customers and other stakeholders to find your privacy policy. Provide contact information so stakeholders can ask questions if needed.

Submitted on behalf of the Jamaica Technology and Digital Alliance by Stephen Juteram, vice-president – sales, Caribbean. stephen.juteram@hitachi-systems-security.com. Feedback to marketing@jtda.org.