The DATA PROTECTION ACT (the “Act”) was recently passed in both the House of Representatives and the Senate and is now awaiting final approval from the Governor General of Jamaica. The Act will not come into operation, however, until the Government of Jamaica (“GOJ”) has publicly appointed a date that the Act will take effect. Additionally, companies will have a transition period of two (2) years from the appointed date to take the necessary steps to ensure full compliance with the requirements under the Act.

Once the Act takes effect, it will no doubt have an impact on the manner in which personal data is processed i.e. collected, stored, used, disclosed and destroyed. Failure to comply with the requirements under the Act can result in a company being liable to fine not exceeding 4% of its annual gross worldwide income. It is therefore important for companies to start implementing certain technical and organizational measures to ensure that they are operating in accordance with the Act.

Companies who process personal data will be required to ensure that they are processing the data in a safe, secure and confidential manner and otherwise in accordance with the provisions under the Act. Some of the legal requirements imposed upon a company who processes personal data are-

1. appointment of data protection officer;

2. registration with the Information Commissioner and payment of an annual registration fee;

3. processing of personal data in accordance with certain international standards; and

4. annual filing of a data protection impact assessment.

Note that once you collect, store, use, disclose or destroy the personal data of your customers/employees/guests/clients, you are required to comply with the legal requirements under the Act. There is no specific company or entity which is exempted from the Act. The Act is applicable to both public and private entities.

RamsaySmith provides timely advice to help companies prepare to satisfy their statutory obligations under the Act. Additionally, we would be able to assist with-

1. the drafting and/or reviewing of data protection policies;

2. the drafting and/or reviewing of data processing and data transfer agreements;

3. reviewing existing contracts in place with employees and third- party service providers to ensure compliance with the Act;

4. conducting data protection and privacy audits to ensure that your organization is compliant with the Act; and

5. conducting training sessions on the Act.