The Information Commissioner has assumed the Office and the Data Protection Act has been gazetted. Now what?

The Data Protection Act has now been gazetted and the Information Commissioner, Celia Barclay assumed her office on December 1, 2021 the same day the legislation was implemented. What impact does that have on my business and what if any should be my immediate next steps? As the CEO, Chairman or member of a Board there is only one objective you should be focusing on: ensuring that your company is in a position to register with the Office of the Information Commissioner whenever it is announced by the Information Commissioner that you must register. Having put yourself in a position to register you can now start implementing your data protection compliance programme to ensure you

Why is it necessary for me to register and what happens if I don’t register?

The Act prohibits the processing of personal data by a business (a data controller) without first registering with the Information Commissioner. If you have a business, you process personal data. Personal data at a very basic level includes names, telephone numbers and email addresses. Processing personal data could be as simple as storing the phone numbers of persons residing in Jamaica for business purposes in your mobile phone.

So yes, you process personal data and yes, the Data Protection Act applies to you and yes, you are required to register with the Information Commissioner at the appropriate time and no, having a privacy policy prepared without more will not make you compliant. When is the appropriate time you may ask? — Any time before the end of the two (2) year transition period that the Information Commissioner indicates is the appropriate time to register.

If you continue to operate your business without registering with the Information Commissioner, you can be fined up to $2 million or you can be imprisoned for a term not exceeding six (6) months if found guilty by a Parish Court judge.

Hopefully having been satisfied that the Data Protection Act applies to you, you should now be asking yourself the question — What are the registration requirements? There are primarily two items that you would be required to register with the Information Commissioner:

  1. You are required to register your registration particulars, and
  2. You will be required to register a general description of the measures that you intend to take to protect the personal data that you are processing.

While this may sound like a relatively straightforward exercise you should not fall into a false sense of security. Over the past two years, while helping companies in Jamaica get ready for registration, experience has taught us that compiling your registration particulars is a very involved exercise and depending on this size of your business it can take upwards of twelve (12) months.

Compiling the registration particulars includes among other things:

  • stating the name of the data controller;
  • stating the name of your data protection officer if you are required to appoint one;
  • providing a description of the personal data you are processing or intend to process;
  • providing a description of the purpose for processing the personal data;
  • providing a description of any recipient or recipients of this personal data;
  • identifying territories or States outside of Jamaica to which you transfer or intend to transfer this data.

Experience has further taught us that this is a very engaging and time-consuming exercise.

If you are desirous of attempting to get the ball rolling yourself without hiring a domain expert here are six simple steps you can take to start:

Step 1: Understand what is included in the definition of personal data.

Step 2: Identify all the various processes in your business that process personal data.

Step 3: Identify all the personal data that is processed in each business process.

Step 4: Identify all the unstructured personal data that resides within your business.

Step 5: Identify the purpose of processing personal data in each process.

Step 6: Identify all third parties and external third-party countries with whom you share personal data.

Each step has significant legal implications if you fail to accurately determine any of the above-stated steps.

Once you have completed the above steps, you now have to generally describe the technical and organizational measures that you have put in place or intend to put in place to safeguard the information assets that process the personal data that you have identified and by extension safeguard the privacy rights of your clients and/or employees and/or partners.

We hope that we have given you sufficient insight into what your next steps need to be. In summary, prepare to register with the Information Commissioner. Seek an entity or person with implementation experience and domain expertise with the Jamaican Data Protection Act and local privacy laws to help you get ready to register.

Chukwuemeka Cameron is an Attorney and Privacy Practitioner and the founder of Design Privacy a consulting firm whose sole focus is helping companies comply with local and international privacy laws. For comments or feedback contact

Founder of Design Privacy a company that helps you comply with local and international privacy laws.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

An insider’s guide to getting a penetration test

Top intriguing hackers:

My duplicate unique identity

{UPDATE} Crystal Connect Hack Free Resources Generator

Why you are a Target for Spies on LinkedIn

Beginner Bug Bounty Resources

“Ridesharing Apps and Your Data Privacy: What you Need to Know.” (From our Forums.)

Solorigate, the ‘Pyramid of Pain’, and the Future of Mitigation: A Rapid Assessment

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chukwuemeka Cameron

Chukwuemeka Cameron

Founder of Design Privacy a company that helps you comply with local and international privacy laws.

More from Medium

Unlocking The Missing Links Through Cultural Influence With Laura Gallaher

Learnings from blood, sweat, and tears on Data & AI Transformation

Bundling, unbundling, and re-bundling: understanding the cycle of progress

The year 2021 in review_ Shaping a better world together