Data protection compliance systems could take a year to set up
Lawyer urges companies to start now to meet November 2023 deadline
A lawyer versed on the Data Protection Act is telling business owners to move swiftly on their development of policies and procedures that would bring their organisations in compliance with new data protection laws.
Jamaica’s Data Protection Act, DPA, in some respects digs deeper than the European Union’s General Data Protection Regulation, the GDPR, on which it was modelled, and will take companies nearly a year or more to bring themselves into compliance, attorney Chukwuemeka Cameron said Friday.
The DPA, which became law in May 2020, will apply to anyone collecting the personal data of individuals.
Although, individuals and entities have up to November 2023 to become compliant, but Cameron is advocating that they begin the process now, saying that from his experience it would take an organisation no less than 10 months to get ready. Those who aren’t are likely to face significant penalties if found to be in breach of the law.
The timeline to get the business ready could be longer than 10 months, he added, depending on the nature of the business and just how much information would need to be processed as part of daily operations.
A chunk of the workload would relate to the establishment of registration of particulars, policies and procedure that would require approval from the information commissioner before any organisation or individuals can begin processing information on clients or guests when the DPA take effect.
The process to establish registration particulars could cause organisations to re-engineer business processes to allow for easy identification of personal data on each data subject, mapping the flow of data and the accuracy of same.
Individuals and organisations processing data for any purpose would also need to engage stakeholders on privacy changes, train staff, rewrite privacy notices for clients, as well as rewrite contracts with third parties that data may be passed on to, for example, an individual’s name and vehicle particles oftentimes obtained by security guards upon entering a premise.
“When someone drives into your business and you capture that licence plate, and the face and name of that person, those are all considered the processing of data. The information commissioner wants to know what do you do with that information, what do you do with that book,” said Cameron.
“From experience, dependent on the size of the organisation, the whole concept of getting ready for registration takes upwards of 12 months,” Cameron said, at a forum on the DPA hosted for companies the Private Sector Organisation of Jamaica.
Prior to 2010, only four territories in the region had comprehensive data protection laws. Now, there are 15, including Barbados, Bermuda, Brazil, Cayman Islands, Jamaica, and Panama being the most recent additions.
The DPA, which seeks to safeguard the privacy and personal information of Jamaicans, draws attention to the processing of data in a fair and lawful manner, obtaining data for specified purposes, that the data is to be adequate, relevant, and not excessive in relation to the purpose for which it is to be processed.
“Remember we are speaking about the right to privacy so there is no limitation from a business perspective if you put the data subject at the centre of your consideration and ask yourself the question of whether you are respecting the right to privacy of the individual, it doesn’t matter if it is an electronic, digital format or hard copy,” Cameron said.