Durrant Pate/Contributor

It has been smooth progress regarding the registration of data controllers, as mandated by the new Data Protection Act, which came into force in December 2023. 

Under the act, a data controller determines the purposes and means of processing personal data and decides the how and why of a data processing operation. A data controller can be a legal person, for example a business, an SME, a public authority, an agency or other body.

Dr. Dana Morris Dixon, minister without portfolio in the Office of the Prime Minister with responsibility for Skills and Digital Transformation, in giving an update on the process in the Senate on Friday (May 10), spoke about the achievements made thus far.

She indicated now that the two sets of regulations issued under the act have been gazetted, the online registration form for data controllers is being finalised. The two regulations are the Data Protection Act (Data Protection) Regulations, 2024 and the Data Protection Act (Data Controller Registration) Regulations, 2024.

At the same time, Minister Morris-Dixon told the Upper House of Parliament that the Office of Information Commissioner (OIC), which will police the Data Protection Act is now at an advanced stage of preparedness for the collection of applicable fees for registration. 

Update on registration thus far

The registration fees are for first-time registration as a data controller (a) Companies and public authorities: $25,000 (b) where the data controller is a partnership: $15,000 (c) Sole traders and (d) individuals: $7,500. The yearly renewal of registration (a) Companies and public authorities: $15,000 (b) where the data controller is a partnership: $10,000 (c) Sole traders and (d) individuals: $5,000.

Since December 1, 2023, data controllers have been able to commence the registration process by creating their unique data controller accounts on the OIC website.

As at May 8, 2024, some 760 data controllers have created their accounts with the OIC. According to Senator Morris-Dixon, “it is anticipated that several thousand more prospective data controllers will eventually register with the OIC. This is based on the number of businesses registered with the Companies Office of Jamaica.”

As at May 8, 2024, there are 760 data controllers who have created their accounts with the OIC.  

She said the OIC will proceed with the registration of data controllers in the following categories as a matter of priority, beginning June: 

1. Ministries, departments and agencies of Government. 
2. Data controllers in high-risk sectors such as financial, health, education, tourism, and ICT Services. 
3. Data controllers who are required to appoint a data protection officer (DPO) 
4. Other controllers processing personal data for in excess of 10,000 data subjects.

Data controllers identified for prioritisation 

She emphasized that the data controllers identified for prioritisation represent large stakeholder groupings that are important for the protection of consumers, who undertake transactions locally, regionally, and internationally. While the OIC’s focus during the initial period will be on registering the previously mentioned categories, other data controllers not identified for priority registration will not be precluded from registering if they are ready and wish to do so.

She advised that all data controllers, in anticipation of needing to register, should seek to satisfy the following minimum data protection compliance requirements:

1. Appointment of a DPO or responsible officer for data protection 
2. Documented data protection policies and procedures 
3. Published privacy notice
4. Data inventory and data mapping 
5. Storage for physical records properly secured with limited access 
6. Electronic storage secured using at least three (3) privacy and security measures 
7. Written agreements with data processors binding them to DPA compliance 
8. System for the management of Data Subject Access Request (DSAR) i.e. requests from individuals in exercise of their right to information about personal data being processed by a data controller and the nature of the processing activities 
9. Breach response strategy and plan 
10. Staff training and sensitisation.