While small businesses, due to their size, may not need to appoint a data protection officer when the Data Protection Act (DPA) comes into effect on December 1 this year, Information Commissioner Celia Barclay is encouraging them to begin investing now to ensure compliance.

Speaking to reporters during a recent Jamaica Observer Business Forum, she said that while it can be costly to become compliant, it is even more costly not to comply with the legislation.

“Ideally, we would love for persons to be in a position to make a required investment at the outset and become fully compliant for December 1, but we are reasonable and we appreciate that, notwithstanding the two-year transitional period, persons are at different levels and have different resources and so naturally, they will be at different stages in terms of compliance,” the head of the Office of the Information Commissioner (OIC) continued.

However, while noting that the OIC will not excuse businesses for non-compliance with the DPA, she urged them to recognise the importance of taking steps now to measure up to law. In this regard, Barclay said small business owners should, “at the very least, start with talking to somebody” who understands the requirements of the DPA and how to fulfil those requirement.

Such a conversation should help the business owner to ascertain how the Act applies to him or her, the state of readiness and compliance of the business, and the measures needed to achieve full compliance. Following this, small business owners should create a plan highlighting “where your greatest risk falls [and] what are the things you need to do first and foremost,” Barclay told Business Observer.

“Is it that based on how you’re operating now, you need to invest a bit more in terms of the security aspect or you have a sufficiently secure system? And maybe what you really need to do is to flesh out your privacy framework,” the information commissioner advised.

Pointing to the fact that becoming compliant with the DPA will be a work in progress, she stated that business owners should have the same expectation for maintain compliance with the law.

“…it’s not one of those goals that you achieve and you check the box, and it’s like, ‘okay, I’m there’. Things are constantly changing and even without any change, the obligation [to remain compliant] is a constant and continuous need. So you always have to be maintaining the standards and always have to be doing certain things to ensure that you are compliant,” Barclay outlined.

On this note, she emphasised the need for small businesses to begin moving towards becoming compliant with the DPA now.

Passed in June 2020, the Data Protection Act provides guidelines on how personal data should be handled in physical or electronic form, drawing inspiration from the European Union’s General Data Protection Regulation. The Jamaican legislation shares some similarities with those of The Bahamas and Barbados.

According to the Organisation of Eastern Caribbean States, “the Data Protection Bill is provided as a complement to the Electronic Transactions Bill. The Data Protection Bill aims to ensure that personal information in the custody or control of an organisation, whether public or private, shall not be disclosed, processed or used other than the purpose for which it was collected, except with the consent of the individual and where exemptions are clearly defined”.