Okeeto DaSilva | Effects of Data Protection Act on commercial activity, corporate governance

Will your organisation be impacted by the Data Protection Act (DPA)? If so, are you aware that you could face criminal prosecution and be fined up to four per cent of your annual revenue if found in breach of this act? Let us explore these questions and the far-reaching implications of this legislation, which was signed by the governor general on July 10, 2020.

The DPA will have far-reaching consequences for any individual or entity which collects the personal data of living individuals for a particular purpose or determine how the personal data is to be used. It classifies these individual or entities as data controllers. The important question is, am I a data controller?

The DPA defines a data controller as a company, individual or government entity that determines the purpose and manner in which personal data is obtained, recorded, stored, altered, manipulated, disclosed, encrypted, erased or destroyed.

If you fall within any of the above categories, you should then carefully consider the scope of the act. You must also be aware that all data controllers must be registered with the Office of the Information Commissioner.

The DPA regulates how personal data is handled by persons and entities. Personal data is defined by the DPA as information relating to a living individual or an individual who has been deceased for less than 30 years.

DATA PROTECTION STANDARDS

The DPA introduces eight standards that data controllers must adhere to when processing the personal data of individuals. Failure to abide by these standards may create legal consequences. The standards include: obtaining the consent of an individual before personal data is processed and also disclosed to a third party; retaining data no longer than is necessary; ensuring that data is accurate. If any of these standards are breached, the data controller must report such incident to the Office of the Information Commissioner within 72 hours. A breach of any of the data standards may also result in criminal charges and a fine of four per cent of your annual turnover.

THE DATA PROTECTION OFFICER

The DPA requires that all data controllers must appoint a data protection officer (DPO). The DPO is responsible for ensuring that the entity complies with the provisions under the DPA.

Personal data must be protected from unauthorised access and cybersecurity attacks.

Under Section 30(1) of the DPA, a data controller must implement the necessary technical and organisational infrastructure to secure the personal data of data subjects. This is a critical and arguably a new obligation created by the act. Never before was an entity legally obligated to implement measures to protect the personal data of individuals.

This is perhaps one of the far-reaching implications of the DPA. The act states that such measures should safeguard against cybersecurity attacks and hacking that will enable unauthorised persons from having access to data.

In 2020, British Airways was fined £20 million after an unknown third party gained unauthorised access to its computer network. Between June 22, 2018, and September 5, 2018, the third party had access to the personal data of approximately over 400,000 customers, including the credit card information of 170,000 customers. The third party also created a website and rerouted payment from the official British Airways website to his. A report by the Information Commissioner’s Office (ICO) cited internal weaknesses in the airlines information security practices, including the storing of the password and user name of a privileged administrator account on a server. The fine imposed on British Airways was based on a percentage of their annual turnover, which is also provided for in the Jamaican act. The ICO imposed a fine of one per cent of the annual turnover of the airline.

The breaches cited by the ICO in the UK underscores the need for entities who gather personal data from the public to have robust cybersecurity policies and technical infrastructure to prevent unauthorised access. In Jamaica, data controllers who are in breach may face pecuniary penalties and could be liable to compensate the data subject who is affected by the breach.

The DPA will certainly impact the way in which businesses are governed by adding additional management, regulatory, personnel and control requirements. Additional personnel requirements would include the need to train and appoint a data protection officer and provide additional training for staff members. Company executives and managers must also ensure that adequate systems are in place to mitigate data breaches. Data security breaches can be costly and will have the effect of compromising the integrity of the entity. Such breaches will also expose the controller to pecuniary fines and compensation. This may affect the entity’s bottom line.

The passage of the DPA is indeed timely. The privacy rights of individuals are of paramount importance. As such, it is imperative that both government and corporate entities become familiar with the act. Ignorance of the law is no excuse and can result in avoidable sanctions. Are you ready for the Data Protection Act? If not, it is time to put the relevant policies and practices in place to ensure compliance.

Disclaimer: The above article is not legal advice and is published for information purposes only.

Okeeto DaSilva is crown counsel at the Office of the Director of Public Prosecutions.