Five Things to Know about the Data Protection Act

The Data Protection Act, 2020 (“DPA”) was passed by the Government of Jamaica in June, 2020. There is a two-year transition period for companies to get their affairs in order to become compliant under the DPA. This transition period commenced on December 1, 2021 and is expected to expire on November 30, 2023. Given the onerous and stringent penalties imposed under the DPA, it is very important for companies to start taking preparatory steps to become compliant. Below, I have highlighted five (5) key things to know about the DPA.

Legal Basis for Processing Personal Data

All companies will be required to have a legal basis for processing personal data. The term ‘processing’ is a very wide concept under the DPA and it includes collecting, storing, disclosing and/or destroying the data. The essence of this is that once a company collects, stores, or transfers personal data, the company must be able to prove that at least one of the following legal bases exists:

·       The data subject consented to the processing and has not withdrawn his/her consent;

·       The personal data was being processed for the performance of a contract with the data subject;

·       The personal data was being processed to comply with a legal obligation or to administer justice;

·       The processing was necessary to protect the vital interests of the data subject; or

·       The processing was necessary to pursue the legitimate interests of the company.

Registration with the Information Commissioner

The Office of the Information Commissioner (“Commissioner”) i.e. the public body with regulatory oversight of the DPA, was established on December 1, 2021. Some of the functions of the Commissioner include ensuring that companies comply with their obligations under the DPA as well as to handle queries or complaints from data subjects. All companies who process personal data would be required to pay an annual registration fee and to register what are known as ‘registration particulars’ with the Commissioner. The ‘registration particulars’ would include but not be limited to the company’s name and contact details, a description of all personal data processed by the company and the purpose for which it is being processed and any intended recipient(s) of the personal data.  

Appointment of a Data Protection Officer

If you are a public entity, or a company that processes personal data on a large scale or processes sensitive personal data i.e. health or genetic data, you would be required to appoint a Data Protection Officer (“DPO”). The DPO is responsible for monitoring in an independent manner, the company’s compliance with the provisions of the DPA and is required to report any breaches to the Commissioner. The DPO may be an employee of the company provided that there will be no conflict of interest between the DPO’s duty and any other duties. It is very important that the DPO remains impartial and objective in fulfilling its duties under the DPA. Companies must also ensure that they provide the Commissioner with the name and contact details of their appointed DPO.

Filing Data Protection Impact Assessment

Companies will be required to file a Data Protection Impact Assessment (“DPIA”) with the Commissioner with respect to all personal data in its custody or control. The purpose of the DPIA is to identify and assess any potential risks which may arise from processing personal data and the measures taken to reduce or minimize those risks. The DPIA must be filed annually and must be filed with the Commissioner within ninety (90) days after the end of the relevant calendar year.

Implementation of Data Protection Policies

Companies processing personal data will be required to implement data protection policies, standards, and procedures which would govern the way in which personal data is processed by the company. These policies are to be written in plain and clear language, and accessible to not only customers but employees as well. Ensure that both customers and employees agree to be bound by the terms of the policies. It is also recommended that third-party service providers engaged by the company be required to comply with the policies.

The implementation of a data protection policy is one of the most effective method of ensuring that informed consent is obtained by a company prior to processing personal data. This is of particular importance as obtaining informed consent can minimize the risks of a breach under the DPA.

Failure to comply with the legal requirements above can result in a company being liable to a fine not exceeding 4% of its annual gross worldwide income. Any director, manager, secretary, or similar officer of the company can also be held personally liable if it can be proved that they had consented to the offence or were negligent. A company may also be held liable to pay compensation to any person who can prove that they have suffered some sort of damage as a result of the breach.

Samantha Moore is a Partner at Ramsay & Partners and is a member of the firm's Transactional Practice and Cyber Security and Data Protection Practice. Samantha may be contacted via moore@ramsayandpartners.com or www.ramsayandpartners.com. This article is for general information purposes only and does not constitute legal advice.