The Institute of Chartered Accountants of Jamaica recently invited me to present a legal perspective on leveraging data analytics to drive growth at its annual business seminar. One of the concerns that was raised was the negative impact the Data Protection Act (DPA) may have on small- and medium-sized enterprises (SMEs). This is a common concern as the DPA, save for the exemptions set out in the Act, will apply to all entities that in any way process personal data of Jamaican citizens regardless of the size or the legal status of the entity. This, by definition, includes arms of the Government.

Personal data means any information whether by itself or together with other information which can be used to identify an individual. In light of the wide application of the Act alarm bells have been raised about the burden this law will place on SMEs. It is the writer’s view that the Government and the larger companies will feel the brunt of this new legislation more than the SMEs. Further, it behoves private sector companies to maximise the benefits of processing personal data using tools such as data analytics to offset the mandatory costs that will be incurred.

Unquestionably, there will be a financial burden that will be placed on all entities that process personal data. All entities that process personal data will be referred to as data controllers. The law, once it is passed, will require all companies, including government bodies and agencies, to appoint a data protection officer (DPO) who is suitably qualified, which will fundamentally change the way they process personal data. The Act has not defined what suitably qualified is. It is clear, however, that whoever is appointed DPO there must not be a conflict of interest.

A conflict of interest will arise where the DPO, outside of his role as the DPO, is otherwise responsible, either directly or indirectly, for deciding how data is processed in the company. There may also be a conflict of interest if it is the DPO who is otherwise responsible for the custody, collection, or actual processing of the personal data. The impact of this is that the person one would think is best suited for the job, the chief information officer or head of IT, is precluded from becoming the DPO because of a potential conflict of interest.

In these circumstances the company may be compelled to hire a DPO full-time or hire a DPO on contract as the Act allows. Even if one chooses to upskill an existing employee, one will incur costs of training that employee to ensure that he is suitably qualified as required by law. In addition to taking on the paid position that will impact on the bottom line, members of staff — as is the case with the requirement of the Proceeds of Crime Act — in order to be compliant will have to undergo training on an ongoing basis. It is not the responsibility of the DPO to provide this training.

Coupled with the above expenses, additional monies will have to be spent on implementing the appropriate IT governance framework. There will be significant exposure of the board to criminal liability that can result in a fine or jail time if it is they breach any of their customers’ privacy rights, or fail to comply with the prescribed processing standards and mandatory requirements.

In Europe, the supervisory authorities responsible for monitoring the implementation of the General Data Protection Regulation (GDPR), the European equivalent to our DPA. The policy in sanctioning companies has been that the sanctions should be dissuasive, that is they should make examples out of big entities by imposing large fines once there has been a breach.

Given the structural and financial burdens, coupled with the exposure to criminal liabilities entities are faced with, it only makes sense that companies maximise the benefits that flow with processing personal data by generating additional revenue streams. Regardless of whether you benefit from processing personal data by generating or increasing revenues you still have to incur costs to make sure the data is being processed fairly and with due regard for the rights of the data subjects. Benefits that can flow from processing personal data could include:

• reducing operational costs by creating greater efficiencies;

• creating new revenue streams by discovering new customer needs;

• improving customer experience by creating a more customised service or marketing collateral; and

• increasing recurring revenue by creating a sticky service, just to name a few.

One tool that can be used to maximise personal data is what is now a buzzword, artificial intelligence (AI). Whether AI has truly matured is yet to be seen, but what is clear is that you now have locally companies such as Bluedot offering data analytics services that, among other things, use AI. Based on a presentation made at the same Institute of Chartered Accountants business seminar, the CEO of Bluedot said that there is an average increase in revenues of 30 per cent as a result of the application of their services to existing business.

Given the nature of corporate structures and culture, and more so corporate legacy information systems, bigger companies will find it difficult to change the culture of all its employees towards personal data, and if it is not championed by the executive it will fail. Larger companies will also find it difficult to streamline and rationalise the personal data they currently process given their legacy systems and lack of any prior personal data governance systems. If companies and government agencies are going to move towards compliance it is going to be an expensive and somewhat challenging journey.

One only has to take cognisance of European companies who, despite the culture and history in respecting the rights to privacy, and having promulgated several directives and regulations that would have served as the building block for the GDPR, are still finding implementing the GDPR painful.

For smaller companies, although they also have to appoint a DPO, it should be less costly and painful to implement IT governance systems. Traditionally, smaller businesses have less structure and fewer employees, and as such it should be easier to create the culture of respect towards privacy rights, again once it is championed from the top. Where there are fewer structures it should be easier to implement the required IT governance systems to become compliant with the DPA. In theory, smaller companies are supposed to be more agile and better suited to take advantage of new business opportunities. On the flip side, the bigger the company usually the less agile it is, making it that much more difficult to take advantage of new opportunities presented by data analytics.

In the final analysis, what is clear is that all companies will have to incur additional costs in order to be on the road towards compliance. It is our view that the larger the company the more painful this process will be. It is a fact that there is great commercial value in the processing of personal data. How a company leverages the processing of personal data outside of the purpose of being compliant is a strategic decision each company will take. In order to offset the inevitable costs of compliance it only makes sense that the prudent company leverage the commercial value of processing personal data.

Chukwuemeka Cameron is an attorney and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Send comments to the Observer or ccameron@designprivacy.io.