Are you ready for Data Protection Act?

The Data Protection Bill was tabled in 2017. At that time industry stakeholders lobbied Parliament for a transition period between passage of the act and its implementation. A minimum period of two years after the passage of the act was requested to allow companies to do what is necessary to become compliant. It was argued that this was necessary given the fundamental changes and capital outlay that would have to be made by organisations. This request was consistent with the manner in which. the General Data Protection Regulation (GDPR)(the equivalent to our Data Protection Act (DPA))was rolled out in Europe. The GDPR. provided that it would not become effective until 2 years after its passage. It was passed in May 2016 and became effective in May 2018. The DPA in its current state only provides for a limited transition period for the government.

Two years having now elapsed since the introduction of the bill and extensive consultations, what steps if any have been taken by the government agencies and private sector companies to become DPA ready in light of the transition period that was being requested. Appreciating the last minute propensity of our culture the better question may. be what steps should one be taking to become DPA ready? And which companies should be more concerned about the DPA?

The reality is that all Organisations, as long as they process personal data, are subject to the act. However some processing activities expose data subjects to more risk than other types of processing. Companies that process personal data as their core business such as market research companies and telecommunications companies for example. Companies that process large amounts of sensitive and/or personal data such as the medical, financial, tourism and BPO sectors and companies that automate the processing of personal data, in additional to all companies listed on the junior and main stock exchange that are sensitive to external legal and regulatory risks.

Should have all started getting their houses in order. Some industries like the hotel industry are already subject to the GDPR as they market directly to European data subjects.

Here are some practical tips to start your Data Protection Compliance journey.

The first thing you need to do is become familiar with the new paradigm that the Data Protection Act is heralding in by attending some bespoke training such as one being held by Design Privacy this Saturday (or any other provider of a bespoke course )that focuses on the proposed Jamaican Data Protection Bill and not the GDPR as they are significantly different especially as it relates to the obligations and liabilities of organizations( data processors).

You should make sure that decision makers and key people in your organisation are aware that the law is coming. Has this issue been discussed at any of your previous board meetings or has it been placed on your agenda for the next board meeting. For companies that don’t have an active board, is it going to be discussed at your next business meeting? The board or the business need to appreciate the impact the passage of the Data Protection Act. is likely to have on the personal criminal liability of key personnel and the fundamental changes that have to take place on how one processes personal data. Updating one’s privacy policy alone will not suffice.

The law as it now stands requires all organizations to appoint an appropriately qualified Data Protection Officer who is to oversee the implementation of your data protection compliance programme. The Data Protection Officer(DPO) cannot be your CIO or head of HR or anyone that currently makes any decision in relation to how the data is processed in order to avoid a conflict of interest. Have you thought about what a duly qualified Data Protection Officer would look like for you? Have you thought about or started to short list persons to train as a DPO or hire as a DPO? The main functions of the DPO are to :

• Raise awareness of Data Protection issues and provide training
• - Monitor and oversee compliance with the DPA.
• - Advice and help execute the mandatory Data Protection Impact Assessment
• - Provide advice on complying with the DPA
• - Cooperate with the supervisory authority, and
• - Be the contact person for your customers in relation to personal data protection issues.

What might an appropriately qualified Data Protection Officer look like. Someone with an understanding of:

• the legal and regulatory environment in which your business operates that extends beyond the Data Protection Act,
• - More than the basics of ICT and IT management systems.
• Experience in business operations and experience in a corporate or business environment, and or course
• - Some form of training and experience as a Data Protection Officer.

The next activity you can undertake is to document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas. You should review your current privacy notices and put a plan in place for making any necessary changes in time for DPA implementation.

Understanding that you have an obligation to ensure your customers can exercise their privacy rights. you should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically.

The DPA includes the following rights for individuals:

• the right to be informed;
• - the right of access;
• - the right to rectification;
• - the right to restrict processing;
• - the right to object; and
• - the right not to be subject to automated decision-making including profiling.

You should update your procedures and plan how you will handle requests to take account of the new rules. In general if a customer were to exercise any of the above listed rights for example, request of you all the personal data you have on them, you will have 30 days to respond. If your organisation were to receive a large number of these access requests, have you thought through the logistical implications of having to deal with all of them at the same time.

At the very minimum you should identify the lawful basis for your processing activity in the DPA, document it and update your privacy notice to explain it. This will be something that will be totally new. Bear in mind, it may well be a breach of your customers privacy rights to process their personal data in the absence of a lawful basis (as I sought to explain in my article entitled). Organisations will be well advised to start considering this even in the absence of a Data Protection Act.

If it is you currently obtain consent from your customers to process personal data you should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the DPA standard.

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

The DPA introduces a duty on all organizations to report certain types of data breach to the supervisory authority, and in some cases, to individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases. Failure to report a breach when required to do so could result in criminal liability fine, as well as a fine for the breach itself.

Outside of the Data Protection Officer you should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.

These are but some of the issue your organization needs to start considering as it prepares for the data protection compliance journey.

Chukwuemeka Cameron is an Attorney with a Masters in Information Technology and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Feedback can be sent to ccameron@designprivacy.io