Wed | Jun 7, 2023

‘Don’t collect more than you need’

Companies urged to begin preparing for Data Protection Act coming into effect

Published:Thursday | March 2, 2023 | 12:37 AMAsha Wilks/Gleaner Writer

Organisations registered under the Companies Act have been instructed to begin preparations to ensure compliance in anticipation of the Data Protection Act (DPA) taking effect on December 1, 2023.

The Government is fine-tuning regulations to bring the DPA into effect after it was passed in 2020.

Sherry Ann McGregor, a partner at the law firm Nunes, Scholefield, DeLeon and Co, is recommending that businesses follow a list of short-term practices, beginning with an audit of all personal data held and consider whether it is relevant or should no longer be held.

The other processes, she said, include recording where personal data is held, why it is held, when it was received, and from whom it was received.

She further added that businesses must review any consent permitting use or sharing of such data and ensure that consent is explicit.

McGregor was speaking on Tuesday at a data-protection webinar dubbed ‘Staying Ahead of the Game: Preparing for Jamaica’s Data Protection Act’, which was organised by the American Chamber of Commerce of Jamaica.

Organisations were also urged to ensure that all personal data held on an individual can be found, if requested, even if the data is spread across multiple databases, and to consider whether information technology (IT) and other security measures and policies are sufficient to store data.

Additionally, it is suggested that they also consider limiting employee access to clients’ personal data and to review client-engagement letters and consent forms related to the use of personal data.

McGregor stated that maintaining the privacy of people sharing their personal information with third parties is important, owing to the numerous threats of data- confidentiality breaches throughout the technological landscape.

The act, she further stated, provides data subjects – individuals whose personal details, which can be used to identify that individual, is collected, stored, or used by an organisation – the right to maintain their privacy and to demand protection of such information when used.

Fines and penalties

If not followed, criminal sanctions such as fines and penalties for breach of the DPA include, among other things, a $1-million fine if the data controller fails to provide registration particulars when requested. A body corporate that commits an offence under Section 68 of the DPA can be fined not exceeding four per cent of its annual gross worldwide turnover for the preceding year of assessment in accordance with the Income Tax Act and for wilfully and unlawfully breaching pseudomysation or encryption applied to personal data, a fine of up to $2 million is applied.

Stuart Hylton, senior manager of IT compliance and data privacy at Symptai Consulting Limited, added further insight by stating that to prevent non-compliance, businesses should reflect on whether they have been gathering information on a “just-because” basis.

He cited the example of businesses asking customers for information such as their mother’s maiden name and a list of all their dependents but noted that these businesses would not need this data based on the nature of their operations and might only be gathering it “to cover ourselves or to have the information”.

“Don’t collect more than you need, don’t keep it longer than you need to, and ensure that it is protected while it is in your care,” McGregor chimed in.

She insisted that businesses should consider the eight data-protection requirements when determining whether they are collecting the information they need. These requirements include ensuring lawfulness and fairness; ensuring that the purpose for which personal data is obtained is consistent with the law and the stated purpose; ensuring that the data is adequate, relevant, and limited to the purpose of collection; ensuring that the data is accurate; requiring that the data be stored properly for a designated period of time; ensuring compliance; avoiding unauthorised processing; and refraining from international data transfers.

Hylton noted that given that we are living in the data economy, companies needed to understand their obligations and to also put in practical measures to guard against cybersecurity threats.

“You’d be surprised how often things like persons just walking through the front door of a building and try to pick up paper files off of a desk still occurs,” he said.

Hylton recommended that companies host sensitisation training sessions for employees, encourage them to lock their computers when they are not in use, keep their desks free of sensitive documents when absent from location, and instruct them to avoid clicking on phishing emails and links.

He also advised companies to get a third-party security assessment about their security posture and encouraged companies to get registered by November 30 under the Companies Act prior to the roll out of the DPA.