With the Data Protection Act set to come in effect December 1, 2023, cybersecurity experts are renewing calls for companies to educate their employees on how to protect company data.

During a webinar titled ‘Staying Ahead of the Game: Preparing for Jamaica’s Data Protection Act Confirmation’, hosted on Thursday by the American Chamber of Commerce in Jamaica (AMCHAM), Symptai consultant and tTech senior manager of IT compliance and privacy Stuart Hylton recommended several measures companies could put in place to get themselves prepared.

Under the new legislation, companies are required to notify the data subject affected within 72 hours of a breach occurring. Hylton said the Act will hold companies accountable.

“Gone are the days when companies keep data breaches to themselves. Now we have an obligation that if you identified a breach, you notify the data subject as well as the information commissioner,” he explained.

Come December 1, there will be consequences for companies who aren’t doing enough to protect customers’ data. To reduce the risk of running into data breaches, Hylton is suggesting that companies sensitise all individuals within their organisations about the threats that exist, possibly in the form of a information security sensitisation session highlighting some best practices from other entities online.

He, however, stressed that while these information are available online, businesses should refrain from copying another company’s policy and instead customise policies to align with its own culture and local legislation. At the same time, he also recommends basic privacy practices for staff.

“We need to be clear about locking our computers when we’re not in front of it, making sure to keep our desk clear if we’re not at the desk or leaving at the end of the day, not clicking on malicious links and e-mails,” Hylton said.

Expounding on the last measure, he argued that this is the most critical step to preventing data breaches because, no matter what protection software is in place, one individual making the wrong click can bring down an entire system.

Hylton’s remark echoed a similar sentiment shared by Minister Floyd Green who, in December last year, revealed that Government is aiming to work with the private sector to train government employees in basic cybersecurity principles because oftentimes that’s the entry point.

Moreover, the consultant advised companies to get a third-party assessment of their security posture as well as recommendations on how to improve it.

While hacking and phising are mainly talked about as risks to data breach, the possibility of someone walking in and taking up valuable company information from desks still exists. With this in mind, companies are being encouraged to make mass destruction of physical documentation a routine.

“Verify again that this information is not needed first and then start going about some mass destruction,” Hylton said.

In the meantime, because the Data Protection Act does not have regulations in place to accompany it, partner at Nunes, Scholefield, DeLeon & Co Shelly-ann McGregor offered short-term measures that would ensure companies are in compliance with the Act, such as conducting an audit to assess whether you need all the personal data you have; record where personal data is held; review any consent permitting use of the data; ensure that all personal data held on an individual can be found, if requested; and consider the need to limit employee access to certain clients’ personal data.

She also emphasised the warning that under the Act no company is exempt and all are required to be compliant.

“As long as you are a data controller, then there is no distinction between you being a small entity or a large one; the obligations are the same,” McGregor pointed out.

She explained that once a company determines what is collected and how it is to be stored and processed, it will be subject to the stringent requirements under the Act and, as such, she urged companies to get themselves ready for registration and understand what they need to do to get compliant.

Over the last few years, a number of large corporations, including financial institutions, have experienced data breaches, demonstrating that offices and e-mail are at risk no matter how secure a company’s system is.

Hylton, therefore, concedes that mistakes do happen and potential breach to data is still possible, “but what we need to understand under the legislation is, do we have a way to respond to those breaches in a timely manner and hopefully safeguard the interest of the data subject as quickly as possible?”