600 data controllers get compliant in first week after DPA grace period
Published:Friday | June 14, 2024 | 12:08 AMAinsley Walters/Gleaner Writer
“REGISTER, register, register,” Celia Barclay, Jamaica’s information commissioner, urged business attendees at Tuesday’s ‘Enhancing Security for Compliance with Jamaica’s Data Protection Act’ forum, hosted by Blue Chip Strategies at the Terra Nova All-Suite Hotel in St Andrew.
“We are pushing registration, which, all things considered, is going relatively well,” Barclay said of the urgings from the Office of the Information Commissioner (OIC) to have entities register data protection officers under the Data Protection Act (DPA) passed in 2020, which finally got legs in December 2023 with a compliance grace period of June 1, 2024.
Titled ‘An Act to protect the privacy of certain data and for connected matters’, Barclay pointed out that the legislation affects any entity that collects personal data from the populace, a point driven home by data-privacy expert Chris Reckord.
“DPA speaks to mainly personal data. If you are a company and you process personal data, customers’ information, taking people’s info and using it. If you are you saving it, that’s processing. The act is to ensure private information is protected,” Reckord emphasised, citing the seriousness of protecting data subjects from breaches.
Highlighting that December 1, 2023, ushered in actual enforcement of several aspects of DPA, Reckord noted that a Private Sector Organisation of Jamaica survey had shown approximately six to seven per cent of businesses stating readiness.
However, Barclay said she was encouraged by the overall response to the June 1, 2024, grace period.
“Within 24 hours of the registration platform going live on June 1, bear in mind it being a Saturday, we had more than 200 applications in process. By the end of the first week we were over 600. We have had more than 2,000 persons who have created data-controller accounts by June 1,” Barclay pointed out.
“In the first week, 600 persons completed registration and some have made payments for consideration. We are reviewing those for approvals. The good thing is we are seeing a mix of private and public registrations, large and small-scale operators. That goes to show that everybody can register regardless of resources.”
Zeroing in on the path to DPA compliance, respective speakers at the near four-hour forum, local experts and renown international vendors of data-protection tools, held captive audience, addressing four key points data controllers should observe - know your data; manage your data; protect your data and documentation and compliance of data.
Pointing out that penalties for non-compliance ranged from fines to prison sentences, should a successful case be levied in case of a data breach, Andrew Nooks, addressing ‘Assessment of the risk’, pointing out that entities that hold clients’ sensitive personal data ought to conduct a risk assessment, which should lead to a risk-treatment plan.
Listing ‘tools in privacy’, Nooks pointed to risk-mitigation strategies using spreadsheets; data-discovery/inventory mapping and classification; data-loss prevention; data-subject access requests; consent management and cookies management.
Presentations by representatives from Thales Cipher Trust, Cyberark, and Crowdstrike, leading international data-protection companies, all posited that hackers never sleep, targeting “low-hanging fruit”, ‘identities’ with lower-level but privileged access.
“Hackers are getting more advanced every day, creating a challenge to protect data,” noted George Alvarez of Cyberark.
“Attackers look for identities which might not give them all privileges but some privilege, the gateway to your data environment.
“Don’t make the assumption that you are not a primary target. They are looking for the low-hanging fruit. Privilege is everywhere. All identities can become privileged under certain conditions,” Alvarez warned.
Last year, Jamaica’s Major Organised Crime and Anti-Corruption Agency estimated losses due to cybercrime exceed $12 million annually, affecting banking, insurance and furniture retail.
Health records have also been affected, specifically through a breach of the JamCOVID19 platform. Immigration records and COVID-19 test results for thousands of visitors to the island were left exposed at the height of the pandemic. The cloud-storage server used to house data, uploaded by users to the widely used JamCOVID19 website and app, was not adequately protected. This allowed easy access by people on the internet to users’ personal and other data.