Since the enactment of the EU General Data Protection Regulation (GDPR) on May 25, 2018, Jamaica has been on a course to join other Caribbean nations to model and implement a similar framework for protecting its citizens' privacy and personal information. Currently, Jamaica has become the 15th Caribbean country to enact its own set of privacy laws in 2020, with the most recent being Bermuda (2016), the Cayman Islands (2017), Saint Kitts and Nevis (2018) and Barbados (2019).

Data privacy and security are becoming more important in several business industries as security concerns and data breaches have become more prevalent. Over the years, due to complex and ever-changing technological forces, economic stakes, and other social consequences.

Overview of "The Data Protection Act, 2020"

The Data Protection Act, 2020 (DPA), which seeks to protect Jamaicans' privacy and personal information, was passed by the Senate on June 12, 2020, after being previously approved by the Lower House on May 19 of the same year.

The Act defines and establishes the general scope and principles for the treatment of personal data and provides for transparent oversight that will enable all sectors to strengthen personal data protection. The Act applies to both public and private sector organizations and identifiable natural persons and individuals who have been deceased for less than 30 years.

The Act defines a data controller as any given person or public authority that determines the purpose and manner for processing personal data collected from individuals. The Act also applies to any data controllers established in Jamaica or any entity that processes personal data through Jamaica, regardless of that entity's physical location. The Act further establishes that entities that process an individual's data in Jamaica while offering a product or service to individuals in Jamaica, or any entity that monitors the behaviour of subjects within Jamaica, qualify as a data controller.

Appointment of a Data Controller Representative

A major requirement of the Act is for each individual or entity that qualifies as a Data Controller to appoint an appropriately qualified person as a Data Protection Officer (DPO). The officer, who is limited to a Jamaican resident, an entity established and formed in Jamaica, or a person who maintains a regular practice in Jamaica, will be responsible for monitoring, in an independent manner, the data controller's compliance with the provisions of the legislation. A further requirement of the DPO is to report any breaches to the Commissioner within 72 hours of becoming aware of the breach.

The Act defines eight (8) standards that data controllers must adhere to when processing personal data, which are:

Fair and Lawful Processing: Personal data must only be processed if the data subject consents to the processing of data, and this consent has not been withdrawn. For the processing of sensitive data, this consent must be in writing.

Obtained Only for Specified Lawful Purposes: Data should be collected only for specified and lawful purposes and shall not be processed in any manner that is incompatible with those purposes.

Data Quality: Personal data collected must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

Accurate and Up to Date: The data must be accurate and, where necessary, kept up to date.

Limited Retention: Personal data processed for any purpose shall not be kept for longer than is necessary.

Processed in Accordance with the Rights of Data Subjects: Personal data must be processed in accordance with the rights of data subjects; further, a person shall be regarded as contravening the Act by processing personal data for purposes of direct marketing without the consent of the data subject.

Protected by Appropriate Technical and Organizational Measures: Appropriate technical and organizational measures will be taken against unauthorized or unlawful processing and accidental loss or destruction of or damage to personal data.

International Transfers: Personal data must not be transferred to a state or territory outside of Jamaica unless that state or territory ensures an adequate level of protection for the rights and freedoms of the data subjects.

Office of the Information Commissioner ("the Commissioner")

The Information Commissioner is the primary regulator under the Act. The main duties and responsibilities of the Commissioner include:

• Monitoring compliance with the legislation and attendant regulations;

• Providing advice to the Minister;

• Disseminating information to the public concerning, among other things, the operation of the legislation; and

• Preparing and disseminating, directing the preparation and dissemination, or encouraging the preparation and dissemination of guidelines that promote good practice. To enable supervision of the Commissioner in the performance of his/her duties, the ACT provides for the establishment of a Data Protection Oversight Committee.

Jamaica appointed its first Information Commissioner pursuant to Jamaica's Data Protection Act, 2020, effect December 1, 2021. As is outlined within the Act, the Information Commissioner has strategic oversight for the establishment and operations of the Office of Information Commissioner in keeping with The DPA.

Next Steps for Businesses in Jamaica

With the appointment of the Information Commissioner, the relevant Minister must now bring Jamaica's DPA into force. This will allow for a two (2) year transitional period in which all data controllers that fall within the ambit of the DPA to become compliant. Failure to comply with the requirements under the Act can result in a company being liable to a fine not exceeding 4% of its annual gross worldwide income.

Within this transitional period, businesses that must comply with the DPA are encouraged to start engaging in the necessary activities that will support consumer privacy rights. These activities include but are not limited to:

• Doing an assessment or analysis to understand what PII is in your company (Data Protection Impact Assessment, Privacy Impact Assessment, Risk Assessments and Data Mapping exercises).

• Categorize your data and collate the legitimate reasons for collecting/using the information in your possession.

• Review your contracts with third-party vendors to ensure their policies adhere to the regulations.

• Identify whether you have consent for collecting and using PII.

• If applicable to the business, determine if the necessary guidelines are in place for sharing, moving, and storing information outside of Jamaica.

• Train and educate employees on the responsibilities they have when dealing with PII.

• Monitor and audit your organization's privacy program.

Symptai Consulting Ltd. is the only Official Training Partner in the English-Speaking Caribbean of the International Association of Privacy Professionals (IAPP). We are uniquely positioned not only as Data Privacy trainers but also as highly qualified privacy practitioners capable of assisting in the development and roll out of your data privacy framework. If privacy is new to your organization or is not where you need it to be contact us today to learn how we can help you to train and upskill staff or provide guidance on privacy practices within the organization.