On March 21, 2024, Jamaica’s Prime Minister, Andrew Holness, in his 2024 Budget Debate speech, indicted that Jamaica’s Data Protection Act is a key element in the rollout of Jamaica’s national ID program. “A functional Data Protection Act and operational body is a prerequisite for the rollout of the national ID.” Holness stated. “Last year, significant provisions of the Data Protection Act came into force, including the requirement of data controllers to register. The Office of Information Commissioner has launched its official portal through which data controllers can register.”
Holness continued to say that the Jamaican government is fully aware that many organizations have concerns about the Act, specifically those in the MSME (Micro, Small & Medium Enterprises) sector. As the Act requires data controllers to register, and this registration process requires organizations to provide certain specific particulars, it is clear that smaller companies might feel overwhelmed and have concerns about being able to demonstrate compliance. More importantly, registration requires businesses to implement certain organizational and technical measures in order to properly comply with the Data Protection Act.
While it was announced last year businesses would have a six-month extension to register as data controllers with the Office of the Information Commissioner, many officials, including the Information Commissioner, Celia Barclay, stated businesses should not wait and that they should continue efforts to ensure they will be ready to register when the OIC begins accepting these registrations. Businesses were encouraged to take advantage of the grace period, and to use the time to ensure their readiness for registration.
Holness continued, “Last year, we granted a further six months extension for data controllers to prepare for compliance with the provisions of the Act. We are now actively exploring how we can provide further time especially to our MSMEs. To this end, the Office of the Information Commissioner will be following general international best practice by adopting a strategic approach to the implementation of the Data Protection Act. Upon the end of the grace period in June 2024, the Office of Information Commissioner will only commence registration with controllers in the following categories:
- Ministries, Departments and Agencies of Government;
- High risk sectors such as financial, health, education, tourism and ICT services;
- Other businesses that conduct data processing on a large scale or that have a significant risk of prejudice to a large number of data subjects; and
- Data controllers who are required to appoint a Data Protection Officer”.
This seems to indicate the OIC will be initially focusing on the higher-volume, higher-risk data controllers while allowing other (smaller) organizations more time to prepare. Holness stated the OIC will publish the categories of controllers required to registered. He further stated that organizations who may have questions may liaise with the OIC to clarify whether or not they need to register in June.
Holness made it clear that measures are being taken to minimize the burden on businesses, specifically smaller businesses. “We believe this approach balances the rights and interests of the people without placing an unnecessary regulatory burden on small businesses. We are a listening Government and we are doing what we can to address the concerns raised by implementing the Data Protection Act in a strategic and responsible manner.”
Organizations interested in learning more about the Data Protection Act, the registration process, or any aspect of compliance with the Act are encouraged to reach out to the Calibra / DPSA team to schedule a call. Our team has been assisting many businesses in Jamaica with their compliance efforts. Interested organizations should reach out to Gracia Whyte at gracia.whyte@calibrasolutions.com.