Preparing for the Data Protection Act
COMPANIES have been urged to begin making preparations for the Data Protection Act which will come into effect December 1 this year.
Within the last month, two of Jamaica’s leading cybersecurity providers — Symptai Consulting and tTech — have tackled in separate fora the state of readiness of businesses to comply with the Act .
Passed in June 2020, the Data Protection Act provides guidelines on how personal data should be handled in physical or electronic form. All business owners who manage customer data must familiarise themselves and their staff with the tenets of this Act in order to ensure compliance.
During the Symptai webinar titled ‘Unmasking the Monster’, held Tuesday, January 10, Director of Research and Engagement Andre Palmer quizzed panellists on whether there was still sufficient time to meet the deadline to satisfy the requirements of the Data Protection Act, including registering a data controller with the Office of the Information Commissioner. While agreed that there was still time, the webinar highlighted the imperative to begin immediately, focusing on the critical things to be submitted to the information commissioner.
Chief risk officer at Symptai Andrew Nooks pointed out, however, that given the shortage of information technology personnel in Jamaica and the global competition to acquire those skill sets, companies should not wait until the last minute to look for an IT expert to help meet the deadline.
On another note, while some companies may not know where to begin preparing to meet the requirements of the Act, Stuart Hylton, Symptai’s senior manager of IT compliance and privacy, said they “should start with security governance framework and an adequate information management system, as this will ensure sufficient administrative controls”. In the same vein, Hylton encouraged the companies to take ownership of the data privacy and protection functions within their organisations.
“Put together a cross-functional team to include information security, legal, compliance, risk, regulatory management, customer service and business intelligence to manager your privacy programme,” he said, adding that companies should solicit the support of a third party for an independent validation of their programmes.
According to statistics, a large portion of data leaks and data breaches are the result of employees’ ignorance or acts of negligence. However, according to Grace Lindo, partner at Carter Lindo, within the eyes of the law employees should be held responsible.
“…so this is a rights-based law which is trying to balance their [data subjects’] rights with your [data controllers’] commercial demands”, she shared.
While noting that the penalties and fines for breaching the Act stand regardless of the reason, she added that it was incumbent on organisations to properly educate their staff on sound data privacy practices in order to operate in compliance with the law.
Understanding the nature of the Data Protection Act was, however, the major concern raised during the tTech webinar held Saturday, January 28, in observance of Data Protection Day.
Addressing the matter of what businesses need to know to be compliant with the Act, tTech security specialist Jaleel Henry argued that there is no guesswork in achieving compliance with the legislation.
“The seventh standard of the Data Protection Act speaks to a specific set of technical measures that are required for entities across the board to implement that will ultimately ensure that, where they are in a position to receive and process customers’ personal data, it is not accessed or shared by unauthorised persons,” he explained.
“This means that businesses — to avoid embarrassment from breaches, incidents of fraud, client mistrust and legal ramifications — need to have a robust plan of action in place by the compliance deadline, December 1, 2023,” he continued.
Still, there are some businesses that are of the view that the law will not apply to them and, by extension, neither will the sanctions and fines, according to Chukwuemeka Cameron, founder of Design Privacy.
“They think it’s just the ‘big guys’ that get targeted,” he said, warning that: “On the contrary, businesses of all sizes and across all industries will find that they will not be exempt from the strict data protection and IT compliance laws — and breaches of these laws could unfortunately see monetary fines up to four per cent of their revenue.”
Cameron, who has been working alongside tTech over the last three years on data protection efforts, indicated further that companies which are seeking or already have relationships with international trading partners will need to be compliant with the Data Protection Act — which is aligned to the European Union’s General Data Protection Regulation — to maintain those relationships.
Accepting credit card and debit card payments, onboarding new clients, and accessing clients’ records are some operations of a business that will be regulated under the law. However, if there is a breach the data commissioner has the authority to fine or order businesses to cease operations.
The Jamaica Observer reached out to the Private Sector Organisation of Jamaica (PSOJ) to ascertain the readiness of its members for the Data Protection Act to come into effect. In response the PSOJ said that 37 per cent of its membership were prepared for the implementation of the Act. Among respondents saying “No”, 55 per cent disclosed that there is a “lack of clarity around the regulations” for companies and that they don’t know what they need to do in order to comply.
Though not entirely prepared, the other members responding “No’ said they are in the process of finalising policies and procedures to comply with the Data Protection Act.
During the tTech webinar, Mayberry Investments Limited Chief Information Officer Krishna Singh and GraceKennedy IT Operations Manager Omar Bell revealed that they have begun the “meticulous compliance process with tTech’s help”.
Both agreed that consideration of the legal, technical, and other risks were driving their decision to become compliant, despite the challenges.
The Jamaica Institute of Financial Services will host a workshop on ‘Privacy and Data Privacy’ on Wednesday, February 15.