NGOs urged to take immediate action on data protection

Expert on data privacy, Andre Palmer, has emphasised the urgency for non-governmental organisations (NGOs) to be compliant with the Data Protection Act.

Palmer, who is head of practice at Securys (Jamaica) Ltd, was making a presentation on the Data Protection Act at a webinar organised by the Council of Voluntary Social Services (CVSS) recently.

He warned that NGOs must act now to avoid breaching the law and, more importantly, to protect the individuals whose personal information they manage.

“If your organisation is collecting or processing personal data and you are not registered with the Office of the Information Commissioner (OIC), then you are operating outside the law,” he emphasised.

He explained that data protection is fundamentally about safeguarding people. He observed that NGOs, which often work with marginalised and vulnerable communities, routinely handle personal data, from names and birth dates to addresses, national identifications, and more. If this data is misused or exposed, the consequences can be serious and irreversible, he explained.

“Behind our day-to-day activities, behind the operations of our organisations, are real people,” he said. “And, if their privacy is compromised, they can suffer real harm.”

Palmer noted that while data privacy has only recently become a major topic in Jamaica, it has long been a global concern. Countries like the United Kingdom passed their first Data Protection Act as early as 1984. The European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018, has since become the gold standard for privacy laws worldwide.

Jamaica’s Data Protection Act, passed in 2020, draws heavily on the GDPR framework. It sets out clear responsibilities for organisations that collect, store, or process personal data, including a requirement to register with the OIC and implement data protection safeguards.

REGULATORY REQUIREMENTS

Jamaica’s first information commissioner was appointed in December 2021, triggering a two-year transition period for organisations to begin the journey towards compliance.

Initially, NGOs and other data controllers were required to commence registration on December 1, 2023. But many organisations indicated they were not ready, citing delays in appointing data protection officers, developing policies, or auditing the personal data they held. A six-month grace period was granted, extending the commencement of registration to June 1, 2024.

Now in May 2025, the grace period has ended, and the country is officially in its second year of the registration cycle. Under the law, organisations must register and re-register annually by December 1. Failure to do so will result in a breach of the law and the regulator is empowered to require non-compliant entities to cease operations.

Palmer acknowledged that compliance doesn’t happen overnight. But organisations are expected to have taken meaningful steps by now, including appointing a data protection officer, if required, drafting a data protection or privacy policy, conducting internal audits of data held, and training staff on data privacy principles.

“Even if you haven’t started yet, there’s still time, but the clock is ticking,” he warned. “This isn’t just about meeting legal requirements. It’s about protecting the dignity, safety, and rights of the people we serve.”

Nancy Pinchas, executive director of the CVSS, explained that the CVSS has partnered with Securys (Jamaica) Ltd to assist local NGOs to meet the requirements of the Data Protection Act and that the webinar is one in a series of sessions that would be conducted to support its members and ensure that they understand their responsibilities in safeguarding personal data.

“Today’s presentation is a critical step in helping civil society organisations navigate the path to data protection compliance with clear, practical guidance and a focus on making regulatory requirements both affordable and achievable, especially given the resource constraints many of us face,” she said.