Companies urged to get sensitised on new Data Protection ActFriday, August 20, 2021
Companies who fail to adequately protect customers' data could be fined up to four per cent of their revenue in the next two years. That's part of the penalty under the new Data Protection Act, 2020 which awaits promulgation. The Act, which seeks to safeguard the privacy and personal information of Jamaicans, was passed in the Senate on June 12 after being approved without amendments in the House of Representatives a month earlier.
Speaking on #MoneyMovesJa with Kalilah Reynolds chief executive officer at tTech Limited, Chris Reckord, urged companies' boards of directors to ensure that team members are sensitised about the metrics of the new Act. He said the Government will not give an effective date of the Act until it has the relevant authorities in place to ensure monitoring and compliance.
In closing the debate on the Bill back in June, Leader of Government Business Senator Kamina Johnson Smith noted that there would be a two-year transition before the legislation took effect.
Reckord said companies should use the period to get their houses in order. He said they should use the time to assess the extent of personal private data being processed.
“The minister [with responsibility] has to put the organisation together. There has to be a commissioner or some sort of office that's to be responsible for compliance so businesses have a little bit of time to be aware of what's going on, start to learn what's necessary, start to learn the organisational measures, the IT and cybersecurity measures,” he said.
Reckord said it will take some time for companies to understand the full legislation. For instance, he said it will now require organisations to have defined policies to let people know how they are processing their private data and to highlight those likely to be responsible in the event of a breach.
He said this information would also need to be presented to the appointed commissioner when the time comes for companies to register under the new Act.
“If, for example, you are a service provider doing work for a company and you now need to handle their staff's names and addresses, date of births and anything that can identify that person, you now need to have an agreement with each other,” he said.
“Pretty much everybody needs to register. Some organisations have the resources to handle this internally but a lot don't, so one of the things we're [tTech] now doing is coming in and doing board training, advising board of directors and management teams of their roles in this thing and and just giving as much information as possible,” added Reckord.
Other territories in the region with data protection laws include Barbados, St Lucia and the Cayman Islands. Reckord pointed out that in other areas with similar laws, companies have been ordered shut by commissioners for non-compliance to the regulations. However, he's expecting a gentler approach in the Jamaican context as the country adjusts to the new regime.
“The expectation is that here there will be some leniency within the first period whether it's a year or two but we're out there helping people with technical and organisational measures. With an investment of US$2000, we would come in and tell you where you are, tell you what's possible and we may even start some sort of a data mapping,” he noted.
The Data Protection Act underscores how personal data should be collected, processed, stored, used and disclosed in physical or electronic form.