5 Reasons why Boards should care about the impending Jamaican Data Protection Act.

For those not interested in reading the entire article I have saved you the hassle:

The Commissioner once established has the power to stop your business if your core business involves the processing of personal data and you are in contravention of the act.

• A simple data breach can lead to a class action, that up until now has been not a feature of our civil litigation, which exposes organizations to large fines.
• The Commissioner has the power to issue large fines that can significantly impact your business.
• A contravention of certain provisions of the Act are criminal and attract custodial sentences.
• Enforcement proceedings can be instigated by employees, customer or any data subject whose personal data you process.

For those who want to know more, a joint select committee of the Jamaican Parliament has now completed reviewing all the recommendations and making all the amendments to the proposed Data Protection Act . According to aggressive timetable set by Minister Fayval Williams, the Ministry is to compile the final report by January 2, 2020 and have it submitted to her on the same day. The Minister has committed to complete reviewing the report by the following day and have circulated to the rest of the committee on January 3, so it can be considered by the Committee on January 8. This aggressive timetable is in keeping with the commitment given by the government to have this bill piloted through the parliament in a timely manner.

Having observed how steadfastly the joint select committee worked on getting the Bill to this stage there can hardly be any question if the bill is going to be enacted sooner than later. We must always be mindful however that there’s many a slip ‘twixt the cup and the lip’.

First things first, the Data Protection Bill in its current form provides for a one year transition period. During this transition period however the administrative parts of the Bill is slated to be rolled out i.e. the establishment and staffing up of the Commission. During this one year period no proceedings under the Act will be taken against a data controller in respect of any data processing done in good faith. This is understandable as there would be no operational commission at the inception to initiate any type of proceedings under the act. What it does mean is that at the end of the one year period the Commission should be prepared to hit the ground running. While one year may seem like a long time, given the enormity of the impact the Act will have on the day to day business operations, it may not be sufficient.

Having come to grips with the imminent passage of the Data Protection bill why should a board or executives concern themselves or worse yet incur any additional expenses as a result of the DPA? This question may be raised especially in our national context where we do not have a culture of privacy nor do we take cyber security and data privacy very seriously (see my previous article entitled “What was the uproar over NIDS all about Mr. Robinson ” to see how we treat the most sensitive data). Unfortunately, common business practice may dictate that this is something legal and/or IT can deal with without any budgetary or executive level support. Here are five reasons why this approach may not be sufficient.

As the law is currently proposed, where a data controller contravenes any of the data protection standards, the Commissioner may serve the data controller with a notice requiring the data controller among other things to refrain from processing any personal data. If your business is one whose core business relates to the processing of personal data this action by the Commissioner can bring your business to a grinding halt.

Alternatively the Commissioner may serve a data controller with a fixed penalty notice (a fine )where he is satisfied that there has been a serious contravention of any provision of the Act and it was of a kind likely to cause substantial distress; and the data controller knew or ought to have known that there was a risk that the contravention would occur; and that such contravention would be of a kind likely to cause substantial distress, but failed to take reasonable steps to prevent the contravention. Set out below are the top ten fines that have been levied by Supervisory Authorities across Europe for last year. This table was compiled by the website Enforcement Tracker.

It is note worthy that more than half of the violations related to “Insufficient technical and organisation measure to ensure information security”. That would be akin to our data processing standards number seven. We can discern that what the companies were being sanctioned for was not necessarily a data breach but the fact that they failed to put the appropriate technical and organisation all measures to avoid a data breach. It is no longer prudent for businesses to be satisfied that they can access their business information, they must now ensure that the requisite governance structures and technical solutions are in place to ensure the confidentiality, integrity and availability of the personal data. Our section 70, as the proposed act is currently drafted, makes a body corporate liable to a fine not exceeding ten per cent of the annual gross income of that body corporate for certain contraventions of the Act.

Also worth of note is the fact that a person who commits an offence under the act in addition to being fined up can also be imprisoned for up to 5 years.

Given the nature of data breaches, the Data Protection Act opens companies up to what are traditionally known in the United States as class actions. While we have always had the ability to bring representative actions, section 71 of the DPA provides that : An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage. An example of a data breach can be where a customer list containing customers personal data is stolen, lost or accidentally disclosed or destroyed. The size of the customer list will determine the size of the class action assuming the data subjects suffered some form of damage. Although the damages suffered by each data subject may be minimal, which would entitle them to nominal damages, the cumulative effect of the class action could be detrimental to a company. From time immemorial the legal profession has been accused of having ambulance chasers. With this new law Attorneys may be incentivized to vigorously defend the privacy rights of data subjects.

Coincidentally as I was writing this part of the article I received an email from a company that was wishing their customers seasons greetings. A company I have never done business with before. This email however was cc’d to at least four hundred other persons, in addition to the email address the full name of the persons were also disclosed. When I referenced the “nature of data breaches” this is a good example of what I was talking about. Fortunately or unfortunately the email was only forwarded to their customers with first names beginning with A — C. Under the proposed Data Protection Act this would be a data breach that would entitle all the persons whose names and email addresses were exposed to damages once they could establish they suffered some distress or damage.

Finally an organization again given our culture may erroneously think that he can fly below the radar or the supervisory authority. The problem with this line of thinking is that an investigation by the Commission can be instigated by a number of actors. Firstly you have the Data Protection Officer who is obliged to advise the Commission of a data breach where there is a risk to the privacy rights of data subjects and the organisation fails to take any or any sufficient corrective actions. Disgruntled employees can also make a report of any inappropriate activities or lack of proper safe guards. Most significantly are all your customers, whose privacy rights you are responsible for safeguarding, who can also lodge a complaint with the supervisory authority which can then lead to an investigation.

In light of the size of the fines, the power of the Commissioner, the possibility of custodial sentences and the ability of several actors to hold organizations accountable, boards can no longer afford to ignore IT departments who have been clamoring for budget allocations to implement information security solutions. The script has now been flipped and the prudent board or executive team would now be the one pressuring there IT and legal departments to ensure the appropriate technical and organizational measures are in place to safe guard the privacy rights of their customers and other data subjects.

Chukwuemeka Cameron, an Attorney, is a trained Data Protection Officer with a Masters in Information Technology and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Feedback can be sent to ccameron@designprivacy.io.