Data protection experts say organisations and professionals should not fear the new Data Protection Act (DPA), which came into effect on December 1, as the legislation and pending regulations will help move the country forward.
Companies have been given an additional six months by Minister without Portfolio in the Office of the Prime Minister with responsibility for Skills and Digital Transformation, Senator, Dr the Hon. Dana Morris Dixon, to register and become compliant.
Speaking at a JN Group Lunch & Learn session recently, Shelly-Ann Walker, executive, data protection at the JN Group, said the DPA, passed in 2020, will transform how the personal data of Jamaicans are handled, noting that it “underpins a more resilient, respectful and secure space for doing business.”
Ms Walker said the law is a “win” for all stakeholders involved in the processing of data and comes at a critical time when people’s personal data have become highly valuable.
“Some people describe data as the new oil or gold and the value of it lies in its potential. Like oil and gold, those who recognise the value of personal data and extract it for use can reap huge rewards, so the DPA is really a guardian of individual privacy in this space,” she remarked.
Ms Walker added that the new law will help organisations “get data protection right” which they must achieve if they want to build trust among people.
“People are not going to want to do business readily with an institution that is the subject of a fine because they have allowed personal data to be compromised,” she stressed, while reminding team members that the JN Group has long upheld the privacy of its customers and members and so the requirements of the DPA are in line with the Group’s values.
Under the new law, organisations and individuals, defined as Data Controllers, stand to face severe consequences, including hefty fines, if they are found in breach of the law. While the regulations to support the DPA are being finalised, Data Controllers are now required to be registered with the Office of the Information Commissioner (OIC) during a six-month period which commenced on December 1. They are also obligated to appoint a responsible individual, such as a Data Protection Officer (DPO) to oversee their compliance with the DPA.
According to Ms Walker, the DPA is largely modeled after the European Union’s General Data Protection Regulation (GDPR), one of the toughest privacy and security laws in the world. She shared that the JN Group has been directly impacted by this statute due to its presence in the United Kingdom via its member companies, JN Bank UK and JN Money Services (UK).
The JN Group data protection executive explained that the DPA governs all aspects of the processing of personal data such as an individual’s name, address or TRN and sensitive personal data which includes biometric, religious belief and health condition.
Similar to the GDPR, the DPA also has standards that data controllers must comply with when they process personal data, including when they collect, store, disclose and destroy the data, and it gives individuals certain rights over their personal data.
“The law is simply trying to ensure that data subjects’ rights are protected while facilitating organisations’ processing of their personal data for legitimate business purposes. Data protection awareness has been a part of our discussions at JN for some time now,” she explained, while pointing to some of the organisational and technical measures that the JN Group has been implementing to ensure compliance with the DPA.
Dwayne Brown, cybersecurity executive at the JN Group, also underscored the importance of the new robust regime in the fight against cybercrimes.
“Quite often, people’s information ends up on the ‘dark web’. It’s a digital world that we’re living in now and if your information is unlawfully obtained, it can be used to do a number of things and so the law is about protecting customers and obligating companies to do their part in protecting the customer’s information,” he said.
Mr Brown said the new legislation is also aimed at ensuring business continuity, and added that persons should expect it to lead to changes in processes and the use of additional technology.
He said: “We have been implementing a number of measures to enhance data security and the work continues in this area. We all have to play our own part to ensure that the organisation is protected from malicious attacks and that our customers’ data are secured.”
