SAJ members urged to comply with Data Protection Act

SHIPPING ASSOCIATION of Jamaica (SAJ) President Corah Ann Robertson-Sylvester is urging members of the association to take the steps necessary to ensure that their organisations are compliant with the new requirements of the Data Protection Act (DPA), which came into effect on December 1, 2023, marking a major change in how businesses handle personal data in Jamaica.

Despite the fact that the Office of the Information Commissioner (OIC) extended a six-month grace period for all data controllers to register with its office, the SAJ president is warning the industry that based on the amount of work involved, the time will move very quickly, and so members should not relax their efforts in ensuring that all systems are put in place before the extension period passes.

The act, which was passed in 2020, outlines how organisations collect, store, use, disclose, and dispose of personal data.

As outlined by the act, personal data is information (however stored) relating to a living individual, or an individual who has been deceased for less than 30 years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller. It includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual’.

A data controller is defined as any person or public entity, who, either alone or jointly or in common with other persons, determines the purpose for which and the way any personal data are, or are to be, processed.

For members of the Shipping Association of Jamaica, adherence to the DPA is an urgent priority. As data controllers within an association, it is important to determine whether the DPA applies to their operations. This determination is based on several factors, including the processing of personal data and the offering of products or services to people living in Jamaica.

An underlying aspect of compliance is the registration process with the OIC. Data controllers are required to provide thorough information, including contact details, data processing descriptions, and measures taken to ensure compliance. SAJ members are encouraged to visit the OIC’s website to register their organisation as part of their ongoing groundwork to establish procedures to become compliant.

A major feature of DPA compliance is the handling of personal data as data controllers must assess the types of personal data they handle and establish lawful bases for the processing of each. These bases may include legal obligations, legitimate interests, or consent, with careful observance of consent conditions stipulated in the DPA.

Data controllers must scrutinise data transfers to third parties and processing by data processors to ensure that adequate technical and organisational security measures are in place to safeguard personal data.

In preparation for compliance, the development of a robust privacy policy is important. It should outline data-processing procedures and contact information. Additionally, data controllers must conduct a thorough review of existing business processes, policies, and documentation to ensure alignment with DPA requirements. This includes making notifications to the OIC and providing responses to data subject access requests.

Importantly, data protection is not solely the concern of large institutions. Compliance with the DPA is required for all data controllers, regardless of their size. Non-compliance carries significant risks such as reputational damage and penalties. Therefore, investing in data protection is not purely a regulatory obligation as it also protects the brand and reputation of businesses.