Data protection is a significant issue for all companies, regardless of size or industry. In Jamaica, the Data Protection Act was enacted to protect the rights of citizens concerning the processing of personal data. As a business, it is critical to comply with this law to avoid fines and the negative consequences such a penalty would have on your reputation.
Here are five practical tips to help you comply with the Jamaican Data Protection Act:
- Make sure to start your compliance before the end of the deadline: The provisions mentioned by the Data Protection Act will be implemented since the Government has publicly declared an effective date. The establishment of the Office of the Information Commissioner through these provisions has already taken effect as of December 1, 2021. As a result, data controllers have a transition period of two years, from December 1, 2021, to November 30, 2023, to ensure full compliance with the requirements under the Act.
- Register your data processing to the Information Commissioner: The following principle prohibits processing without registration. Indeed personal data shall not be processed by a data controller unless the “registration particulars” of that data controller are included in the register maintained under section 17 (or are treated by regulations made under section 16(3) as being so included).
The registration particulars are as follows:
- The data controller's name, address, and other relevant contact information.
- The name, address, and other relevant contact information of any data controller representative appointed by the data controller.
- The name, address, and other relevant contact information of any DPO appointed by the data controller.
- A description of the personal data being, or to be, processed by or on behalf of the data controller and the category or categories of data subjects to which they relate.
- A description of the purpose or purposes for which the personal data are being, or are to be, processed.
- A description of any recipient or recipients to whom the data controller intends, or may wish, to disclose personal data.
- The names of any states or territories outside of Jamaica to which the data controller directly or indirectly transfers, intends, or may wish directly or indirectly to transfer personal data.
- Where applicable, a statement that the data controller is a public authority.
- Any information about the data controller as may be prescribed in regulations.
Make sure to nominate a DPO: According to the Data Protection Act, the data controller must appoint a qualified individual as a Data Protection Officer (DPO) to oversee the controller's compliance with the Act. The data controller must inform the Commissioner of the DPO's name, address, contact information, and any updates to this information (as specified in Section 20(4) of the Act).
The DPO is responsible for independently monitoring the data controller's adherence to the Act and must report any violations to the Commissioner. Any person appointed as a DPO must be qualified and not have any potential conflict of interest.
Exceptions to the requirement of appointing a DPO to apply to data controllers who solely process personal data for a public register or non-profit organizations with political, philosophical, religious, or trade union objectives.
Make sure to send your data processing to the Commissioner: Unless the Commissioner indicated you not to, data controllers must annually submit a DPIA (Data Privacy Impact Assessment) for all personal data in the custody or control of the data controller.
The DPIA must be submitted within 90 days after the end of the calendar year and shall require at least the following:
Make sure to implement a data breach policy: As a Data Controller, you must report any security breach that affects or may affect personal data to the Commissioner within 72 hours of becoming aware of the data breach.
- a detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable, the legitimate interest pursued by the data controller
- an assessment of the necessity and proportionality of the processing operations concerning the purposes
- an assessment of the risks to the rights and freedoms of data subjects
- the measures envisaged addressing the risks, including safeguards, security measures, and mechanisms to protect personal data and demonstrate compliance with the Act, considering the rights and legitimate interests of data subjects and other persons concerned.
The notification must include the following:
- the facts surrounding the security breach
- a description of the nature of the security breach, including the categories, number of data subjects concerned, and the type and number of personal data concerned
- the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach
- the consequences of the breach
- the name, address, and other relevant contact information of its DPO
Hitachi is dedicated to helping companies worldwide comply with various data protection laws. On Wednesday, April 5, 11:00 - 12:00 EDT, a webinar will be held to discuss the Jamaica Data Protection Act and how to build a Robust Privacy Strategy.
Don't hesitate to contact us if you want to be supported in your compliance or participate in our webinar.