TODAY, personal data has become one of the most valuable assets for organisations. Businesses, government agencies, financial institutions, and service providers collect large amounts of personal data daily, ranging from simple identifiers such as a customer’s name, phone number, and address to sensitive information like health records and biometric data.

The Data Protection Act (2020) (“DPA”) has imposed strict obligations on entities that determine how personal data is processed and for what purposes (“data controllers”), aimed at promoting transparency, ensuring personal data is adequately protected, and establishing a system that holds data controllers accountable. These obligations apply at all stages of data processing and become most critical when safeguards fail and a data breach occurs.

Reporting Obligations under the DPA

Under the DPA, a data controller that experiences a security breach affecting, or potentially affecting, personal data must report it to the information commissioner within 72 hours of becoming aware of the breach. The data controller should not use this72 hour period to determine whether personal data has in fact been affected or to assess the extent of such an impact. Once the security breach has the potential to affect personal data, the obligation to report arises. This report must include the following details:

1. The facts surrounding the security breach;

2. A description of the security breach, which should include:

a. the categories and number of data subjects concerned

b. the type and number of personal data concerned;

3. The measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach;

4. The consequences of the breach; and

5. The name, address and other relevant contact information of its data protection officer.

The DPA places an obligation on data controllers, in the event of a data breach, to promptly notify data subjects whose personal data is affected about the nature of the breach, the measures taken or proposed to mitigate or address potential adverse effects, and to provide the contact information of its data protection officer, including name, address, and other relevant details.

The importance of having a checklist

The DPA requires all data controllers to implement suitable technical and organisational measures to ensure that the information commissioner is notified promptly of any breach of the data controller’s security measures that affects or might affect personal data. Furthermore, these measures must safeguard against unauthorised or unlawful processing of personal data as well as accidental loss, destruction, or damage to personal data. As a data controller it is essential to have a checklist outlining clear steps for achieving compliance. Once a data controller identifies the purpose for processing personal data the checklist should define procedures for data collection, access, storage, retention, erasure, transfer, along with technical and organisational measures that are appropriate to that purpose.

Technical Measures

Technical measures are security safeguards put in place through physical controls and technological means, such as software and hardware, to protect personal data. The complexity of these technological measures, along with the costs of implementing them, should reflect the data controller’s assessment of the necessary security level to prevent harm from unauthorised or unlawful processing, as well as accidental loss, destruction, or damage of personal data, considering the nature of the data being processed. These technical measures include multi-factor authentication, pseudonymisation, encryption, and regular penetration and vulnerability testing.

Organisational Measures

In addition to implementing technical measures and safeguards, it is equally important for data controllers to take reasonable steps to ensure that their employees and agents with access to personal data are not only aware of, but also comply with the security measures in place. In this regard, limiting access to a customer’s personal data to only authorised employees who need it to perform their duties is a simple and effective way to prevent misuse and unauthorised disclosure. These measures will also protect the interests of both employees and customers. For example, a data controller that develops a clear and comprehensive privacy notice outlining how a data subject’s information is collected, used, shared, retained, and the lawful basis for processing it, fulfils its obligation to inform the data subject while setting clear boundaries for employee access to that information. Therefore, data controllers must recognise the importance of having documented internal policies, procedures, guidelines, restricted access controls, routine staff training, and awareness sessions. These should be supported by periodic reviews.

Conclusion

Ultimately, under the DPA, effective data protection requires a proactive and risk-based approach. Data breach notification requirements are vital for accountability, transparency, and protecting data subjects’ rights. Prompt and proper notification after a breach allows affected individuals to take steps to safeguard themselves, enables data controllers to evaluate whether sufficient safeguards were in place, and helps implement preventive and corrective measures to minimise both the impact of the breach and the chance of it happening again.

Akil Williams is an associate at Myers, Fletcher & Gordon, and is a member of the firm’s Commercial Department. Akil may be contacted via akil.williams@mfg.com.jm or www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.