ST ANDREW, Jamaica— Participants at Tuesday’s data-protection forum, hosted by Blue Chip Strategies at the Terra Nova All-Suite Hotel in St Andrew, left with fresh reminders of the never-ending battle against personal-information breaches and the importance of being compliant with the Data Protection Act (DPA) in order to safeguard clients from lurking hackers.

Themed ‘Enhancing Security for Compliance with Jamaica’s Data Protection Act’, speakers from leading international data-protection firms – Thales Cipher Trust, Cyberark and Crowdstrike – pitched offerings to an attentive audience spurred by the June 1 grace-period deadline for businesses to register data-control officers with the Office of the Information Commissioner (OIC).

Andrew Gardner, chief executive officer (CEO), Blue Chip Strategies, said the forum was staged to arm attendees with not only tools but also the ability to locate and protect clients’ personal data.

“The need for an event like this actually predates the establishment of the act,” Gardner said. “Protection of personally identifiable information is of utmost importance. DPA is making it law, a requirement, forcing those who collect data to be responsible.”

Kirk Martin, information-technology manager, EdgeChem Jamaica, said his firm knew of the requirement to be DPA-compliant and the six-month grace period for registration.

“My company has been aware of DPA for a while,” said Martin of the law passed in 2020, effected December 2023.

“I already understood the need for registration but attended specifically to meet representatives of international companies offering tools and solutions to managing information under the DPA and coping with its requirements,” Martin explained.

“Even with new requirements, the data protection experts admit there is no silver bullet, snap-your-finger fix-all. I am heartened that this forum also helped in providing solutions, offering a pathway on what to do and how to handle a data-breach event.”

“Managed services, software and systems to protect data, while humans slumber, is very important for smaller companies”, Martin stressed.

Continuing, he said: “Not many companies would have the expertise to navigate managed services. The hackers are way ahead of us. That’s what they do 24/7s. Managed services is what we are particularly interested in. Cyberattacks don’t sleep. Some of them are automated”.

Attorney Nicole Foga, joining Chris Reckord and Andrew Nooks, addressing the forum as data protection experts, emphasised the importance of having properly qualified data protection officers (DPOs) processing clients’ personal information.

“When the law came into effect December 1, 2023, with its six-month grace period ended June 1, 2024, it represented a paradigm shift in how businesses manage personal data,” Foga noted, pointing out that DPOs process sensitive personal data, ranging from biometrics to sexual orientation.

“The DPO’s duty is to ensure the processor adheres to DPA standards and to have measures in place to assist data subjects. The DPO must report to the OIC, within 72 hours, should any breach of data occur,” she warned, adding that data controllers must also act responsibly in disclosing to data-subjects any breach and to promptly respond to subsequent queries from affected parties.

Bryan Rivera of Thales Cipher Trust warned against data controllers believing cloud storage doesn’t need adequate protection.

“Our goal is to assess clients’ risk then gauge how the implemented process and strategies to protect data is working,” Thales said, naming ransomware as one of the most common cyber threats.

“Monitoring is key to know whether you are complying or not. Migration of data to the cloud is common. The United States holds most cloud data in the world but responsibility for protection must remain with the controller in the country of origin,” Thales said, pointing out that “encryption cannot be decrypted unless you have access to the key”.

Responding to an audience question regarding a country using power of subpoena to access information, Rivera referred to the information-technology concept of “hold your own key”, which protects encryption keys from being shared by hosts without the permission of DPOs.