Data protection: Where do I start?
On December 1, 2023, the remaining sections of the Data Protection Act (DPA) came into force. On the eve of the day the remaining provisions were set to come into full force, the Office of the Information Commissioner (OIC) issued a press release advising that all data controllers will be given a six-month ‘grace’ period to register with the OIC. During this period, data controllers are encouraged to create an account on the OIC’s website, create and implement a data protection programme for their organisation and continue to prepare for registration. But where does one begin?
Does the DPA apply to me and my business?
A data controller is defined in the DPA as any person or public authority, who, either alone or jointly or in common with other persons, determines the purposes for which and the manner in which any personal data is or is to be processed. Where personal data is required to be processed under any law, the person on whom the obligation to process the personal data is imposed by or under that law will also be a data controller.
Personal data is defined under the DPA as information (however stored) relating to a living individual, or an individual who has been deceased for less than 30 years, and who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller. Personal data includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual.
The DPA applies to a data controller who:
a. is established in Jamaica or in any place where Jamaican law applies by virtue of international public law, and the personal data are processed in the context of that establishment; or
b. though not established in Jamaica, processes personal data of a data subject who is in Jamaica, and the processing activities are related to the offering of products or services to data subjects in Jamaica, irrespective of whether a payment of the data subject is required or the monitoring of the behaviour of data subjects as far as their behaviour takes place within Jamaica.
Each of the following shall be treated as established in Jamaica for the purposes of the DPA:
a. an individual who is ordinarily resident in Jamaica;
b. a body incorporated under the laws of Jamaica;
c. a partnership or other unincorporated association formed under the laws of Jamaica;
d. any person who does not fall within any of the above categories but who maintains in Jamaica an office, branch or agency through which he carries on any activity or a regular practice.
Registration with the OIC
The OIC is the office established under the DPA tasked with oversight of the data protection regulatory regime in Jamaica. Data controllers are required to register with the OIC. The DPA sets out the information required for registration which includes:
a. the data controller’s name, address and other relevant contact information such as a telephone number and e-mail address;
b. if the data controller has appointed a data controller representative for the purposes of the DPA, the name, address and other relevant contact information of the data controller representative;
c. the name, address and other relevant contact information of the data protection officer (where applicable);
d. a description of the personal data being, or to be, processed by or on behalf of the data controller and the category or categories of data subjects to which they relate;
e. a description of the purpose or purposes for which the personal data are being, or are to be, processed;
f. a description of any recipient or recipients to whom the data controller intends, or may wish, to disclose the personal data;
g. the names of any states or territories outside of Jamaica to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the personal data;
h. where the data controller is a public authority, a statement of that fact;
i. such other information about the data controller as may be prescribed;
j. a general description of the technical and organisational measures to be taken for the purpose of complying with the DPA.
Data controllers may create an account on the OIC’s website; however, registration as a data controller is not permitted at the time of writing this article. It is expected that registration will be permitted upon the passing of the regulations to the DPA.
Personal Data and how it is processed
A data controller should assess the personal data it is processing and establish lawful reason(s) for processing each type of personal data. This will assist the data controller in determining whether the processing is necessary, or desirable, and the legal basis for processing that personal data. Legal bases for processing include legal obligation, legitimate interests and consent. It is important that a data controller is attentive to the circumstances where personal data is processed based on consent as consent may be withdrawn at any time and after consent is withdrawn, you may no longer rely on consent as your lawful basis for processing that personal data. Data controllers must ensure that consent is sought, obtained and recorded in accordance with the DPA. Conducting a data mapping exercise and preparing a data asset register is useful to pinpoint each type of personal data, processing activity and legal basis for processing. Data mapping involves tracking, documenting and integrating various data elements (eg Data source, fields, systems and warehouses).
The next step is to take a deeper look at how data is processed and determine any weaknesses or areas of non-compliance. Data controllers must review the processing activities being carried and identify where there are transfers to third parties and processing by data processors. A data processor is defined as any person other than an employee of the data controller, who processes processing personal data on behalf of the data controller. In this exercise, the data controller must also determine the technical and organisational security measures, if any, being relied on to protect the personal data and whether they are appropriate for the personal data being processed.
Using the information collected, data controllers must prepare a road map for compliance. A crucial component will be the existence of a privacy policy. A privacy policy is the outward facing document which includes what data is processed, how it is processed, the basis for processing, relevant contact information and any other procedures such as data subject access requests. Data controllers must also consider any other business processes, policies, or other documentation that should be reviewed or drafted in order to comply with its ongoing obligations under the DPA, including notifications to the OIC and responding to data subject access requests.
Data protection is often seen as intimidating, costly, burdensome and some feel this a task for larger institutions, however, this is not so. DPA applies to data controllers of all shapes and sizes and so it is important for all to be alive to issues relating to data protection and developments in the space. Data controller non-compliance carries with it the risk of reputational damage and loss of consumer confidence and significant penalties. The investment in data protection should be seen as an investment in the protection of your business’ brand and hard-earned reputation.
Data protection is by no means a one-size-fits-all approach and preparing for the DPA requires time, effort, thoughtful planning and at times professional assistance. This article identifies some of the key areas you may wish to consider as you start, or hopefully continue your own data protection journey.
Joanna Marzouca is an associate at Myers, Fletcher & Gordon in the Commercial Department. She can be contacted via joanna.marzouca@mfg.com.jm or myersfletcher.com. This article is for informational purposes only and does not constitute legal advice.