Global data protection expert Bob Siegel urged local leaders to establish a structured “compliance cycle” within their organisations to safeguard client data and ensure compliance with Jamaica’s Data Protection Act (2020).

Siegel, president and founder of Privacy Ref, shared this advice as he delivered the keynote address to a capacity audience of leaders from government agencies, academia, public and private sector organisations at the University of Technology’s (UTech) International Data Protection Symposium on January 28. 

The symposium coincided with the observance of Global Data Privacy Day and was hosted under the theme, ‘Your Privacy Programme and You: Bridging the Gap, Navigating the Next Steps in Data Privacy‘. It brought together stakeholders from government, academia and the private and public sector to share strategies for building sustainable programmes under the Data Protection Act.

Layers of effective data compliance cycle

In his address, Siegel told attendees at the institution’s Papine campus that an effective compliance cycle “will end up driving your privacy programme” which he highlighted consists of three layers – “policies and procedures, training and awareness and compliance and verification.” He gave the following breakdown for each stage of the cycle.

Policies and procedures

Siegel explained that “This is the ultimate starting” of the data compliance regime. It entails:

• Familiarising yourself with “regulations, statues and other external factors that are pushing you to do the privacy work.”
• Becoming acquainted with jurisdictional and industry-specific standards, customer and vendor contracts, business and services expectations as well as cultural and national values.
• Structuring your organisation’s data policies making them identifiable with the necessary legislations, statues, industry standards, national and cultural values.

Training and awareness

Siegle noted that training and awareness is a necessary component of the compliance cycle allows for:

• Engagement and sensitization of data subjects, data processors and data controllers about the company’s privacy policy.
• The elimination of the risk of data privacy breach by people, who, without active sensitisation and promotion, “don’t read the policies.”
• The fostering of mutual learning environments where stakeholders can receive feedback and strengthen their privacy policies.

Compliance and verification

According to Siegel’s model, this final stage of the data compliance cycle tests whether a company’s privacy policy and associated enforcement strategies have met the requirements of jurisdictional and other legislative acts and “is where many organisations drop the ball.”

It entails:

• Implementing and enforcing the orginisation’s privacy policy.
• Employing useful evaluation methods such as attestations, assessments and audits to evaluate the success of the company’s data protection policy and strategies.
• Analyzing key performance indicators (KPIs) such as breaches, inquiries, complaints along with the number of records held or destroyed, privacy impact assessments (PIA) to determine compliance trends and the effiency of the data protection policy.

Corporate culture and data privacy

Siegel also encouraged data controllers to consider the kind of corporate culture that exists within their organisations as they aim to establish and enforce meaningful data privacy policies.

He noted that it is essential for the corporate culture to be supportive of the privacy culture.  Therefore, leaders must assess whether there are “different generations that are involved that must work with personal information” in the company.  “Different people of different profiles have different support for your privacy programme” Siegel told the audience.

Considering this, he recommended that leaders make room for tweaks in their training and awareness as well as in their implementation and enforcement strategies “to change people’s perspective to forego what they believe about privacy and adopt what the organisation believes.”

He stated that one of the most effective ways to accomplish compliance is by breaking down laws and regulations into simple transparent requirements starting at a departmental level and in a language that is easily understood. He also highlighted that employees have their own data privacy expectations. As such, departments such as human resources must communicate clearly to current staff and prospective employees how their personal information will be handled from the outset.

Implementation and enforcement gaps

Jamaica’s Information Commissioner Celia Barclay acknowledged that “Jamaica’s data protection regime is still in a nascent state.”

She disclosed that the Office of the Information Commissioner will increase its vigilance on implementation and enforcement activities as “data controllers are still, for the most part, not ready for compliance and data subjects remain largely unaware of the DPA and the rights they have under it.”

To address this, Barclay shared that her office will further prioritize education and host sensitisation initiatives including a Data Privacy Conference on February 19. Notwithstanding the various sensitisation gaps to be filled, Barclay emphasised that “compliance should not be due to fear of enforcement, but rather to a commitment of building trust and maintaining integrity by doing what is right for data subjects and what is required by law.”

Addressing data privacy issues in cyberspace  

Noting the ubiquitous nature of data in present time, UTech president Dr Kevin Brown shared, “We are fully aware of the need for heightened attention to data privacy in today’s fast-paced information-sharing world. As the nation’s STEM university, we are dedicated to leveraging science technology, engineering and mathematics to tackle societal challenges including data privacy with the aim of reinforcing public trust.” 

He added that “Since 2023 with the enactment of the Data Protection Act, we have been at the forefront supporting government to aid understanding and compliance around data privacy.”

With over 100 employees within the education sector also previously receiving training and certification as data protection officers through a UTech/e-Learning Jamaica partnership, Brown said there are evolving calls for collaboration with the private and public sector “to ensure that we enhance the data privacy landscape.”  

Brown stated that through the convening of data professionals and other industry experts at the symposium, the university is actively offering solutions to issues such as “identity theft…unauthorized access of information, misuse of personal information and the troubling use of artificial intelligence to manipulate personal images and to misrepresent data.”

He called for further collaboration between academia and the public and private sectors to strengthen Jamaica’s data privacy landscape.

Noting that the implementation of the Data Protection Act has set a new benchmark for how educational institutions manage personal information, Dr Tameka Benjamin, assistant chief education officer for the Tertiary Education Unit, shared that the Ministry of Education has developed “a comprehensive approach to data protection across the sector.” 

She also stated that the ministry will soon be launching a public education campaign focused on “demystifying the complexities of data protection for our teachers, our parents and students, ensuring that everyone understands their role in safeguarding personal information.”

Training opportunities at UTech

Professor Sean Thorpe, dean of the Faculty of Engineering and Computing, later invited the attendees to consider UTech for training in various aspects of data privacy compliance. 

He noted that the university through the School of Computing and Information Technology (SCIT) is currently looking at offering its data protection and privacy module as a six-week certification course to individuals through the UTechOpen School of Lifelong Learning and Professional Development.

Thrope explained further that the module looks at topics including policy development and data subjects’ rights. The senior dean also shared that an incident response module is also in the making to be offered as a short course to the public.

During a panel discussion, symposium organisers Andray Lawrence, UTech data protection officer and Dr Nadine Barrett-Maitland, senior lecturer, School of Computing and Information Technology, reinforced the importance of collaboration in data protection.

“Privacy is a shared responsibility…you bring people in by saying, we have to protect our company’s reputation” Lawrence stated.

Adding that today’s data is “the gold” which everybody needs, Dr Barrett-Maitland reminded the audience to “remain vigilant and ensure that we are conforming to the standards and the regulations and try to factor privacy in all of our processes.”

She also encouraged attendees to, “ensure that we are aware of what we are supposed to be giving, doing and how our data will be handled.”