SAJ hosts successful Data Protection Act seminar as implementation date looms

ON THURSDAY, May 11, the Shipping Association of Jamaica (SAJ) hosted a successful seminar for the shipping sector and allied industries on the Data Protection Act, 2020. The transition period afforded by the act comes to an end on November 30, 2023, when all provisions of the act will come into force.

Registrants representing 13 companies were in attendance for the session co-hosted by software solutions company ADVANTUM, which offered them a complimentary 30-minute network consultation to provide an assessment of their information technology infrastructure and recommendations for improvements.

The seminar was facilitated by Joanna Marzouca, an associate in the commercial department at the law firm Myers, Fletcher & Gordon.

The Data Protection Act, which will direct how businesses manage customers’ personal data, requires business owners and their staff to be familiar with its requirements to guarantee compliance. The potentially hefty cost to undertake training and sensitisation efforts to help safeguard individuals’ personal data was among several concerns voiced by participants.

However, Marzouca advised them to consider it as an “investment” rather than an expense, given the potential benefit of improving businesses’ competitiveness locally and internationally, and its attractiveness to customers.

Marzouca continued that the nature of business, especially in the shipping and logistics sector, will mean ongoing interactions with entities outside Jamaica. “You are all in an industry that is not operating within 14 parishes. You’re cross-border; you have a lot of international entities that you will work with. At some point, if not already, they are going to be asking you these questions [about data protection compliance].”

The attorney noted that businesses should focus on implanting data protection compliance into their existing governance structure, which will make the transition easier. “Put these policies and procedures into practice. It is not enough to just have a piece of paper; it is not enough to put a link on your website. Again, they need to be engrained in the way you do business. Again, at a cost, but we are not looking at it as a cost, we are looking at it as an investment.”

Looking ahead, she said companies and their leadership will need to introduce additional methods which will help identify areas of weakness, including penetration testing of information technology systems to assess gaps in their systems.

“Those should be done periodically because technology is evolving, things are dynamic, things will change. Ensure that vendors with access to your data continue to have adequate cybersecurity and privacy policies. If your data becomes more sensitive, the risk is higher, and so their cybersecurity and privacy policies will need to match that. You need to ensure also that your contracts allow for the ability to periodically confirm this,” Marzouca advised.

Additionally, she said companies should consider including cybersecurity updates as a part of board and management meetings and reports, adding that proper documentation will be key in mitigating risk. “If there comes a circumstance where you have a breach or you have a security incident, one of the things you want is to be able to look back and see what was the reasoning behind the decision made for this data processor versus that one.”

Despite the initial uncertainty, Marzouca said the gains to be derived over the long term will make it worthwhile, as recent studies have found that there is an increasingly strong link between effective data protection and high consumer confidence, and that being a responsible custodian of people’s data could positively impact business reputation and, ultimately, revenue.

Jamaica’s Data Protection Act will be fully implemented on December 1, 2023.