Slow movement towards DPA readiness despite looming deadline
With mere months to go before the implementation of the Data Protection Act, DPA, on December 1, at least two state-run offices have started the hunt for a professional or firm to design and guide the execution of a data protection and privacy programme.
Private-sector firms are also readying themselves for the changes to come, with some at least taking the first step of having their businesses registered with the Office of the Information Commissioner, OIC, according to Sales and Marketing Manager of tTech Marsha Bucknor.
But after weeks of trying to ascertain the state of readiness by public and private sector entities to start applying the protections for consumers that the new law demands, the Financial Gleaner was only able to get bits and pieces of information.
The banks have already said that the laws that guide their operation already demand protection of banking and accountholder information. So for them, compliance with the DPA won’t be as onerous as, say, the retail sector, which does not have that tradition, nor the infrastructure.
tTech has long been in the business as a tech service provider, but its top line has grown recently from an outpouring of requests for guidance in preparing clients for the implementation of the DPA, which defines and establishes the general scope and principles for the treatment of personal information obtained during the normal course of business by both public and private sector organisations.
In response to the demand, tTech has partnered with Design Privacy, effectively broadening its offerings to include more technical control services.
“We started a special offer a few months ago to get firms ready for the changes but have had to keep that offer running because of the growing demand. About 30 per cent of our client base has already taken advantage of that offer,” Bucknor told the Financial Gleaner.
tTech takes on a new cohort of clients for its data-protection workshop each quarter, and the offer spans services, including technical risk assessments and encryption assessments. But it comes at a cost of US$6,000 or $934,000 in local currency for each client.
State-run offices are, however, taking a different approach when it comes to external help on the new but complex and stringent rules.
Both the Urban Development Corporation of Jamaica, UDC, and the Ministry of Science, Energy and Telecommunications and Transport, MSETT, have publicly advertised vacancies to have a firm or individual working in office on the reform of their data-processing practices.
They wrapped up the hiring process last month.
The UDC was on the hunt for a chief privacy officer, a contract post that will see the incumbent overseeing and managing the implementation and ongoing data-protection operations within the corporation. Meanwhile, the MSETT closed bids on its request for consultancy services on August 25.
The two government institutions are the first out of the block on efforts to start complying with the DPA, but following closely behind them is the Passport, Immigration and Citizenship Agency, PICA, with movement towards the appointment of a data-protection officer, Information Commissioner Celia Barclay told the Financial Gleaner.
While the rush is on to recruit qualified professionals to act as data protection officers – which may be an individual or firm responsible for keeping the data controller or the data processor in compliance with the law – Barclay’s own efforts continue to get the Office of the Information Commissioner, the policing agency, fully operationalised nearly two years into her appointment.
Two months ago, the OIC advertised six positions, including that of a strategic planning and monitoring officer, some of which have since been filled. The growing team is said to be meeting with different interest groups to better understand some of the issues and concerns around getting ready for what is to come.
However, efforts to get an update on readiness of the state agencies and private firms from the OIC have been unsuccessful.
Still, the Financial Gleaner understands that because of the seriousness of the Data Protection Act and the penalties for breaching it, there is rapidly mounting apprehension and questions largely around the transitional period and the effective date for enforcement.
The new law, which applies to both public and private sector organisations, was passed in 2020 but is set to take operational effect in December 2023, by which time the attendant regulations were to be promulgated.
Under the DPA, the obligations of public and private firms that process, store, share, view or destroy personal data collected in the normal course of business span the fair and lawful processing of personal data; obtaining consent for any direct marketing; respecting the rights conferred to data subjects with regard to automated decision making; and adherence to written requests for the prevention or cessation of processing.