Carolyn Bell-Wisdom | Prepare for Jamaica Data Protection Act or face consequences
Since May 2018, when the European Union General Data Protection Act (GDPR) was enacted, there have been over 200 fines levied, totalling more than €467,000,000. This includes fines in 16 separate cases where individuals, small businesses, and even a city, were fined for data-privacy violations related to video surveillance. In one case, an individual was fined €20,000 for video surveillance that was set up to protect his property, but which also surveilled employees – a violation of the principle of data minimisation, a fundamental consideration inherent in the regulation.
In Jamaica, there is cautious optimism, and in some cases trepidation, as we await the soon-to-be enacted Jamaica Data Protection Act, 2020. Notwithstanding, it is largely accepted that enacting data-protection laws is necessary for Jamaica to effectively compete in an increasingly digital global marketplace.
In fact, data protection is seen as essential to modern-day international trade. Although there will be a grace period for compliance with the act, organisations need to start preparation now to ensure that they have adequate procedures in place, especially when considering that non-compliance could result in prison terms of up to 10 years and fines of up to four per cent of a company’s annual gross worldwide turnover.
The Jamaica Data Protection Act will be the first cross-sectoral and comprehensive law applied to personal data in Jamaica. This means that whether you are a regulated business already acquainted with compliance laws and regulations or a small or medium-sized business that does not currently face significant regulatory scrutiny, the law will apply to you.
Since the law applies to personal data, which in layman’s terms means ‘data that can be used to identify a person’, it will include things you may not readily think of such as video surveillance as well as any other forms of personal data collected on customers, employees, contractors, vendors, and so on. Furthermore, since it applies to all personal data that may be in your possession, it will include data you may possess relating to, for example, a former customer or a person with whom you decided not to do further business.
Given the far-reaching implications, it will be critical that businesses and other organisations prepare effectively so that they can ensure readiness. Many provisions currently in the bill are not likely to change significantly as they are based on Privacy and Data Protection Model Policy Guidelines and Legislative Texts developed for the Caribbean region. These model policies and legislative texts were developed to complement agreements in place with the World Trade Organization.
Despite the wide reach of the legislation and considerable penalties to organisations of all sizes and sectors, as well as to individuals, there is still limited awareness of the current provisions or what to do to ensure compliance with the new law when enacted. Some of the key provisions of the Jamaica Data Protection Act that businesses and other organisations will need to be versed in include:
1 . Ensuring compliance with the eight data-protection standards such as making sure that there is a lawful basis for processing data; that there is transparency to individuals around how their data are processed; that the data are only used for the purpose that has been so disclosed; and that there are adequate measures in place to protect personal data throughout all stages from collection to use, storage, transfer, and finally, disposal.
2 . Ensuring that individuals are able to exercise their rights over their data such as having the right to access the data and to prevent use of their data in certain respects.
The provisions currently contained in the bill will work alongside other legal requirements, and where there are other specific laws relating to matters covered in the Data Protection legislation, these other laws may take precedence (such as the Proceeds of Crime Act).
Where do organisations begin? The obvious place to start is to familiarise yourself with the bill and begin to prepare. To begin the preparation, ask yourself:
1 . Do we know what personal data we have? This is foundational as you cannot protect data unless you know about it, so a data inventory is critical. The protection mechanisms put in place – whether these are organisational, such as procedures, or technical, such as system controls – will need to be appropriate, considering the sensitivity of the data and available techniques for protection of that data.
2 . Do we know what to do in the event of a data breach or other compromise of personal data? You will need to have an incident-response programme.
3 . Could we easily identify the information we hold on a particular individual such as a customer or an employee? If not, you will need a process to manage requests from individuals within the time frame that will be specified in the law.
4 . Where are our areas of weakness? Your weakest link could be a third-party provider such as a supplier or outsource provider. If you outsource to a vendor, your obligations under the law have not been relinquished.
What of the impact of COVID-19 on all of this? The European Data Protection Board (EDPB) has provided guidance. In a statement in March 2020, the EDPB stressed that even during these exceptional times, GDPR rules and regulations must be adhered to and that data controllers and processors must ensure the protection of personal data for data subjects.
That said, organisations should also now keep in mind that data collected from individuals regarding COVID-19 may be considered personal data, and you need a valid legal basis for collecting and processing the data.
In summary, the Jamaica Data Protection Act is on its way. You should get ready because there may be severe consequences for lack of preparedness.
Carolyn Bell-Wisdom is partner at PwC Jamaica. Send feedback to email@example.com.