Firms urged to ensure compliance under Data Protection Act
Published:Friday | January 19, 2024 | 12:11 AMSashana Small/Staff Reporter
Declaring that there is a “general state of unreadiness on many sides”, Information Commissioner Celia Barclay is urging organisations to utilise the six-month grace period extended by the Office of the Information Commissioner (IOC) to ensure that they are in compliance with provisions under the Data Protection Act in order t avoid penalties.
The act, which came into effect on December 1, 2023, aims to provide greater safeguards for the handling of personal information of Jamaicans held in physical or electronic form.
“You were late for the December 1 deadline. You do not want to be late for the expiration of the six-month period,” she stated.
Barclay was speaking at the inaugural Empower JA forum, hosted by the Private Sector Organisation of Jamaica (PSOJ) in partnership with the Inter-American Development Bank (IDB) at the AC Marriott Hotel yesterday.
Chief governance risk and compliance specialist, attorney-at-law Georgina Gibson Henlin, who was a panellist at the event, outlined that 47 per cent of organisations are partially compliant with the Data Protection Act.
“And that 47 actually took some playing of tune to get them to be partially compliant, and the others, they are still outside saying it doesn’t apply to them. So there is some lack of clarity there,” she said.
But while noting that there is no definitive deadline for the IOC to sanction organisations for non-compliance, Barclay cautioned them against waiting until the eleventh hour to put things in place.
“The unfortunate reality of the culture of Jamaica is when you have a deadline, you wait on that deadline to act. It is a poor practice. It is a negative practice, and it is not a practice that we are going to support as an organisation,” she said.
Barclay emphasised that even though a grace period had been granted, the implementation of the Data Protection Act means that consumers can still bring claims against organisations.
Further, she stated that data protection is not just a legal requirement, but a major consideration for consumers.
“We have seen where consumers are now making their decisions based on the data protection and compliance rate of organisations. More and more persons are looking at whether or not you have a privacy policy in place. More and more consumers are asking, what procedures have you established for me to deal with a suspected breach or a report of an actual breach?” she said.
‘Don’t wait for D-day’
Barclay advised organisations to make data protection and “building trust in your organisation” a strategic goal.
“Don’t wait for a D-day for enforcement. Focus on the requirements for compliance. Start making the investment of effort of energy of resources. Put the necessary systems in place one step at a time, one task at a time,” she shared.
Pointing to data obtained by the IOC, Barclay said that 70 per cent of consumers believe that the companies they do business with protect their data. However, 57 per cent of executives report that their organisations suffered at least one material breach in the past three years.
A survey conducted by the PSOJ between May 17 and July 26 last year revealed that one out of 10 organisations have experienced a cyberattack in the last three years.
The survey was distributed via email to all 308 PSOJ members. However, there were 105 complete answers.
According to the survey, 50 per cent of companies had an educated cybersecurity employee while there were no cybersecurity professionals emailed at 29 per cent of companies that participated in the survey.
Forty-two per cent of participating companies are of the perception that they are likely to experience a cyberattack. However, 83 per cent are confident in their firm’s ability to respond and recover from a cyberattack.
Additionally, 61 per cent of companies that participated in the survey have a cybersecurity policy.
Sacha Vaccianna-Riley, executive director of the PSOJ, noted that data protection is not just a compliance issue, but a critical factor in winning customer loyalty. She rued the number of cyberattacks that have affected “a broad spectrum of businesses” in Jamaica.
“These incidents did far more than compromise data. They struck at the heart of the trust underpinning our entire digital data system. These incidents serve as potent reminders of the pervasiveness of digital threats and underscore the urgent need for robust cybersecurity measures,” she said.