The Information Commissioner has assumed the Office and the Data Protection Act has been gazetted. Now what?
The Data Protection Act has now been gazetted and the Information Commissioner, Celia Barclay assumed her office on December 1, 2021 the same day the legislation was implemented. What impact does that have on my business and what if any should be my immediate next steps? As the CEO, Chairman or member of a Board there is only one objective you should be focusing on: ensuring that your company is in a position to register with the Office of the Information Commissioner whenever it is announced by the Information Commissioner that you must register. Having put yourself in a position to register you can now start implementing your data protection compliance programme to ensure you
Why is it necessary for me to register and what happens if I don’t register?
The Act prohibits the processing of personal data by a business (a data controller) without first registering with the Information Commissioner. If you have a business, you process personal data. Personal data at a very basic level includes names, telephone numbers and email addresses. Processing personal data could be as simple as storing the phone numbers of persons residing in Jamaica for business purposes in your mobile phone.
So yes, you process personal data and yes, the Data Protection Act applies to you and yes, you are required to register with the Information Commissioner at the appropriate time and no, having a privacy policy prepared without more will not make you compliant. When is the appropriate time you may ask? — Any time before the end of the two (2) year transition period that the Information Commissioner indicates is the appropriate time to register.
If you continue to operate your business without registering with the Information Commissioner, you can be fined up to $2 million or you can be imprisoned for a term not exceeding six (6) months if found guilty by a Parish Court judge.
Hopefully having been satisfied that the Data Protection Act applies to you, you should now be asking yourself the question — What are the registration requirements? There are primarily two items that you would be required to register with the Information Commissioner:
- You are required to register your registration particulars, and
- You will be required to register a general description of the measures that you intend to take to protect the personal data that you are processing.
While this may sound like a relatively straightforward exercise you should not fall into a false sense of security. Over the past two years, while helping companies in Jamaica get ready for registration, experience has taught us that compiling your registration particulars is a very involved exercise and depending on this size of your business it can take upwards of twelve (12) months.
Compiling the registration particulars includes among other things:
- stating the name of the data controller;
- stating the name of your data protection officer if you are required to appoint one;
- providing a description of the personal data you are processing or intend to process;
- providing a description of the purpose for processing the personal data;
- providing a description of any recipient or recipients of this personal data;
- identifying territories or States outside of Jamaica to which you transfer or intend to transfer this data.
Experience has further taught us that this is a very engaging and time-consuming exercise.
If you are desirous of attempting to get the ball rolling yourself without hiring a domain expert here are six simple steps you can take to start:
Step 1: Understand what is included in the definition of personal data.
Step 2: Identify all the various processes in your business that process personal data.
Step 3: Identify all the personal data that is processed in each business process.
Step 4: Identify all the unstructured personal data that resides within your business.
Step 5: Identify the purpose of processing personal data in each process.
Step 6: Identify all third parties and external third-party countries with whom you share personal data.
Each step has significant legal implications if you fail to accurately determine any of the above-stated steps.
Once you have completed the above steps, you now have to generally describe the technical and organizational measures that you have put in place or intend to put in place to safeguard the information assets that process the personal data that you have identified and by extension safeguard the privacy rights of your clients and/or employees and/or partners.
We hope that we have given you sufficient insight into what your next steps need to be. In summary, prepare to register with the Information Commissioner. Seek an entity or person with implementation experience and domain expertise with the Jamaican Data Protection Act and local privacy laws to help you get ready to register.
Chukwuemeka Cameron is an Attorney and Privacy Practitioner and the founder of Design Privacy a consulting firm whose sole focus is helping companies comply with local and international privacy laws. For comments or feedback contact ccameron@designprivacy.io