15 Frequently Asked Questions for Data Privacy Day

1. Q: When did the Jamaica Data Protection Act come into effect?

A: It came into effect from December 1, 2021. This is the first date on which the Act was brought into force. Notice of this is in the Gazette dated November 30, 2021. It established the Office of the Information Commissioner and matters pertinent thereto.

2. Q: What does this mean for a data controller?

A: The data controller has two years from the December 1, 2021 to take steps to ensure that it is in compliance with data-protection standards.

3. Q: Does my organisation have to register with the Office of the Information Commissioner (OIC)?

A: Yes, when the office is set up and if your organisation processes personal data.

4. Q: What happens if my organisation does not register with the OIC?

A: Your organisation will be prohibited from processing personal data and will be deemed to have committed an offence. Your organisation can be slapped with a fine of up to two million dollars for this offence.

5. Q: What details are required for registration?

A: The following details are required:

i) The organisation’s name, address, and other relevant contact information;

ii) The name, address, and other relevant contact information of the organisation’s representative;

iii) The name, address, other relevant contact information of the data protection officer;

iv) A description of the personal data being or to be processed by or on behalf of the organisation;

v) A description of the categories of data subjects to which processing relates;

vi) A description of the purpose(s) for which the personal data are being or are to be processed;

vii) A description of any recipient(s) to whom personal data will be disclosed;

viii) The names of states or territories outside of Jamaica to which the organisation directly or indirectly transfers personal data;

1 Section 18(3) of the Data Protection Act

ix) Where the organisation is a public authority, a statement of that fact;

and

x) Any other information as may be prescribed in the regulations.

6. Q: How may an organisation gather the information on the description of the personal data, the purpose for which or the categories of data being processed or the countries to which data are being transferred?

A: By creating a privacy team and conducting a data-mapping exercise.

7. Where will my organisation’s particulars be kept?

A: On the Information Commissioner’s Register.

8. Q: Is there a registration fee?

A: There will be a registration fee. This will be prescribed by the regulations.

9. Q: Are there any other fees to be paid to the Office of the Information Commissioner?

A: Yes, an annual fee must be paid for the maintenance of the organisation’s particulars in the register. This fee will be prescribed by the regulations.

10. Q: What happens if the annual fee is not paid?

A: Your organisation’s particulars will not be retained on the register.

11. Q: What is a Data Protection Impact Assessment (DPIA)?

A: A DPIA is a process used to identify, assess and address personal data-protection risks based on the organisation’s functions, needs and processes. The process is usually performed with the use of a questionnaire.

12. Q: Are organisations required to submit a DPIA to the commissioner?

A: Yes. Organisations must submit a DPIA to the commissioner in respect of all the personal data in its custody, unless the commissioner directs otherwise.

13. Q: When should the DPIA be submitted?

A: The DPIA must be submitted within 90 days after the relevant calendar

year.

14. Q: What should the DPIA contain?

A: A DPIA should at least contain:

i) A detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable, the legitimate interest pursued by the data controller;

ii) An assessment of the necessity and proportionality of the processing operations in relation to the purposes;

iii) An assessment of the risks to the rights and freedoms of data subjects; and

iv) The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, considering the rights and legitimate interests of data subjects and other persons concerned.

15. Q: Are there benefits, apart from sanctions avoidance, to companies who are implementing measures consistent with the requirements of the Data Protection Act?

A: Yes. Benefits include:

a) Little to no litigation exposure and costs;

b) Improved consumer trust;

c) Improved brand reputation; and

d) Increased business growth.

PRIVACY & LEGAL MANAGEMENT CONSULTANTS LIMITED