The six-month grace period during which companies and organisations must register with the Office of the Information Commissioner (OIC) under Jamaica’s new Data Protection Act ends in June, after which the legislation that became effective on December 1, 2023 will become operational.
With the remaining period for the relevant entities to comply, particularly with their appointment of data controllers, a veteran, overseas-based data protection officer (DPO) is encouraging Jamaicans to embrace the paradigm shift.
Julian Hayes, managing director of Veneto Privacy Services, said it is important that Jamaican businesses begin to make the shift in how they operate.
Veneto Privacy Services, based in Dublin, Ireland, is a data protection and information security services firm that specialises in telecommunications managed data privacy services.
He said this was especially important in the way they handle their clients’ information and also the expectations customers have of these entities, both public and private, with which they do business.
“It’s a bit of a learning curve for Jamaican citizens with this new data protection obligation that companies have. It’s new for everybody, it’s new for businesses, but it’s also new for individuals living in Jamaica who will have a right of access and a right of deletion of personal data and also to correct inaccurate personal data,” Hayes told Loop News in an interview.
Hayes highlighted that if any company has incorrect information on file about an individual “they have an obligation to correct it”.
“It’s a big change and, importantly, the Information Commissioner in Jamaica, Celia Barclay, she has very strong powers of enforcement, so if companies are not compliant with the Act, they should expect to face enforcement procedures which is very disruptive to business,” Hayes noted.
Hayes also acknowledged that customers/clients may be nervous that their information could be compromised, as with the recent admission by US telecommunications company AT&T, that data on 73 million of its current and former customers had been leaked on the dark web. Among sensitive information exposed were social security numbers and addresses.
Search engine giant Google also lost a class action suit brought against it in the US by persons who had accused the company of spying on them online, even when they switched to the incognito mode, which should have ensured they could not be tracked on the Internet.
“You can’t eliminate every risk, that’s a huge challenge, but data protection risks need to be mitigated based on the severity of the issue and the compromise to the individual,” said Hayes.
The Ireland-based DPO, who also does business in the US and Canada, and who lists telecommunications giant Digicel among his Jamaican clients, said it was important that data protection is seen as a “business enabler”.
This, he explained, is where businesses are perceived to be taking a proactive approach to protecting their clients’ information.
“The company will appear transparent and people like security,” he stated.
For financial institutions that have faced the challenge of clients’ information being accessed and bank accounts emptied, Hayes advised:
The main thing is for them to be proactive in their communication to the public. They must inform the public of the types of threats that they face and promote KYC (know your customer) initiatives. They need to be super aware, and also the individual customers have a right of recourse if an institution has failed to protect their data.
Hayes posited that, in many cases where data is accessed, “it’s an insider job; it’s a rogue employee who works in the operations centre who has access to critical information, to its data”.
The managing director shared that a valid European Union passport is worth around US$50,000 on the black market, “so it’s extremely valuable information”.
Speaking of Jamaica’s OIC, Hayes expressed: “I think the commissioner’s office is taking a very proactive approach, they have been on the news; they’ve been informing people of the implications”.
Driving home the point about the importance of protecting clients’ data, he added, “In other parts of the world, like in Eastern Europe, personal data has a value; it can be resold. If you’re able to replicate your data ports … then you can fabricate another person’s identity, and that’s extremely damaging for individuals”.
Hayes said Jamaicans would see the importance of data protection “if you think about your personal data as an asset, it’s your own personal information.
“If you have a contract signed with a bank, which is holding this information, for example, they may have photocopies of your ID and other critical information. If they lose that or if they fail to maintain it in a secure manner, it can have serious repercussions for both you and them,” he said.
Hayes has 20 years’ experience as a DPO, while Veneto Privacy, which has been in operation for eight years, offers remote data protection officer services.
As to whether this is a better option than having an in-house data protection officer, Hayes said:
There’s no issue with providing data protection services remotely. I’ve done projects (remotely) for telecoms providers in Jamaica and the Caribbean.”
The managing director highlighted that in the US, many of the consultancy businesses are both large scale and automated and come with exorbitant fees.
Pointing to his two decades as a DPO offering practical telecoms and consumer services, specifically data protection security, Hayes told Loop News: “We can, therefore, offer a much more economical service to companies in Jamaica.”
He added, “If a company doesn’t want to hire a data protection officer, perhaps if they don’t have the adequate competencies to do data protection, then they could examine our services.”
He insisted that the big professional services companies in the US charge millions for advisory service while Veneto will provide the same service at much lower rates.
“If the company wants to have its own data protection officer, we can support them in any way they want,” he said.
Speaking of the Data Protection Act that was passed in the Jamaican Parliament in 2020 and which draws heavily on the European Union model, Hayes said: “It’s really well drafted; it’s very clear and very transparent in terms of what the obligations are.”
He noted that it applies to businesses in the financial sector, including credit unions and small businesses.
“So it’s applicable across the whole of the economic sector,” Hayes said.
He also noted that the extended time given to companies to register with the OIC was to allow them to adapt and make changes as they prepare for compliance.
“The biggest concern I would have is that there are criminal liabilities for non-compliance, which includes jail time. So directors of businesses can be placed in jail if they don’t take the proper measures to be compliant,” said Hayes, before joking that “I don’t know about you, but I don’t fancy spending anytime in Kingston’s jails”.
The veteran DPO said his company offers practical data advisory services for real actions.
“We’re not lawyers, we don’t practice law; we give definitive advice and we stand by our decisions, and that’s always been the way that I have worked with Digicel, in terms of the projects that I have supported over the last five years,” he said.
When asked how crucial it is that Jamaican companies get the right help to ensure they are off on the right footing, Hayes said
I think the best way is to have a look at the current processes. Jamaican companies have good information security programmes, which are quite robust at maintaining information security. That is really a good label to put on top of data protection controls.
He also pointed out that data controls are multi-level.
“It’s around transparency, it’s around providing access to personal data for individual customers. but there are also authentication requirements,” Hayes said.
He said it is critical for companies to ensure that where information is requested, it is being given to the right person. This, he advised, could be addressed during an orientation exercise.
Veneto has also provided DPO services to telecommunications services in the UK and Ireland, and has also provided data protection security consultancy in Jamaica and Western Europe.
