Ben Rapp | What does ‘data protection’ actually mean?

The Jamaica Data Protection Act (DPA) of 2020 created new duties and responsibilities for everyone who deals with personal data. These obligations are backed by the potential for significant penalties for non-compliance and enforced by a new regulatory authority, the Office of the Information Commissioner. While this may be nothing that you have not read before, perhaps, though, you are still wondering what those words actually mean for your business.

This is the first in a series of articles that will seek to demystify data protection. You will learn what the term means, what compliance with the law really involves, and, crucially, how and why you should seek to be compliant. Let’s begin that demystification with three definitions and a distinction.

WHAT IS PERSONAL DATA?

Personal data is information about persons, as the name suggests. The important point is that it refers to any information, of any kind, that is held in a way that allows a person to be identified. It is not just your name or contact information or Tax Registration Number (TRN). Your shoe size and favourite musician are both personal data if they can be linked to you. So in a business context, everything you know about your customers, your employees, and your marketing prospects is personal data.

WHO IS A DATA SUBJECT?

A data subject is a living human being about whom you have personal data. Your customers, employees, marketing prospects, shareholders, the employees of your suppliers, and members of the public whose data you collect, for any reason, are all data subjects. The rights of data subjects are at the heart of the DPA. It exists partly to convey those rights. Importantly, in Jamaica, your rights as a data subject do not end with your death but persist for 30 years afterwards.

WHO IS A DATA CONTROLLER?

A data controller is any person who makes decisions about what personal data is to be collected, stored, processed, and for what purposes that personal data is to be used, by whom, where, when, how, and for how long. For incorporated businesses and ‘legal persons’ such as a company with a registration certificate and a TRN, the business itself is the data controller. If you are an unincorporated organisation – a club, association, unlimited partnership, and so on – then your appointed officials (natural persons), trustees, organising committee, partners, etc are jointly and severally the data controllers. The important thing is that ‘data controller’ designates what or who is legally responsible for compliance. It is not a job title or a function.

WHO IS A DATA PROCESSOR?

A data processor is any person who collects, stores, and processes data only as instructed by a data controller. Importantly, this is not about roles within an organisation – remember that the organisation itself is the data controller, or its controlling officers are, if it is not incorporated. Data processors are businesses (incorporated or otherwise), including individual contractors to whom data is transferred by a controller.

A marketing agency offering direct marketing services on behalf of its clients will normally be a processor, for example. However, in many circumstances, it is possible that a relationship you might instinctively think of as being between a controller and a processor is actually one between two controllers. As soon as the other party is making its own decisions about what data to collect, or whether and for how long to keep it, it becomes a controller in its own right. So when your accounting firm collects your ID documents to meet their regulatory requirements under anti-money laundering laws, they are acting as a controller even though you have a contract with them for them to process the data you control in order to prepare your accounts.

This is a complex and nuanced topic whose surface I have merely scratched here, and it is one that is a continual source of discussion and debate in our profession. Unfortunately, it is also crucial to effective compliance since it determines who is legally responsible and, therefore, accountable for that compliance and for the decision-making that underpins it.

The distinction: Data protection is not the same as cybersecurity. Despite the name, preventing unauthorised access to data is only part of your duties as a controller. There are eight standards in the Jamaican DPA and protecting the security of information is the seventh.

The eight standards are:

1. Lawfulness and fairness of processing

2. Limitation of purpose

3. Adequacy, relevance and minimisation of personal data

4. Accuracy

5. Limitation of retention

6. The rights of data subjects, including the controller’s obligation of transparency

7. Security measures

8. Controls of the international transfer of personal data

There will be subsequent articles explaining each standard and its implications for you. We will also talk about the overall shape of a data-protection programme, how to implement one, and the role of the Data Protection Officer. Each standard brings specific duties and responsibilities. An effective compliance programme combines an understanding and adoption of the spirit of the standard with the preparation and maintenance of the documentation necessary to demonstrate that understanding and adoption to the Information Commissioner, and, arguably more importantly, to your data subjects. While compliance is important, meeting the eight data standards will increase customers’ and the public’s trust in an organisation, and in the long-term, lead to greater profitability.

Ben Rapp is a data protection expert and group chief executive officer of Securys, Limited, a global data protection firm. Send feedback to info@securys.com.jm and columns@gleanerjm.com.