While the Data Protection Act (DPA) 2021 has been onerous for businesses to implement, founder and group CEO of Securys Limited Ben Rapp believes that an organisation’s compliance with the legislation can serve as competitive advantage.

In a panel discussion at the 40th anniversary of BizTech Conference, titled ‘Turning Policy into Practice: Effective Data Privacy Solutions for Modern Organizations’, Rapp pointed out that achieving compliance with the legislation creates trust and confidence among customers and suppliers, which further attracts investment.

“Eventually, as you find that it (DPA) becomes part of the landscape, the basic compliance expectation is something that everybody acknowledges they have to do, and you start trying to work out, you see more foresighted organisations trying to work out how to leverage it as a competitive advantage,” he told moderator Alexia Beckford, also the programme manager for Jamaica Technology and Digital Alliance.

“And what we’re trying to do here in Jamaica is to sort of challenge that, is get people as quickly as we can to the point where they’re seeing the advantages and using that to drive their business, so that we can shorten this period where everybody’s feeling resentful and just kind of grinding along going ‘I have to, so I will,’” he continued.

The DPA came into effect last year on December 1, 2023, requiring that businesses and organisations which collect data to register with the Office of the Information commissioner as data controllers and indicate the processes involved in collecting, retaining, transferring and disposing of data. Under the Act, which is modelled from the European Union’s General Data Protection Regulation (GDPR), organisations are also required to hire or task the management of data to a data protection officer.

According to International Association of Privacy Professionals, there are 137 countries that have an iteration of the GDPR including The Bahamas, Barbados and jurisdictions in the Organisation of Eastern Caribbean States.

Looking at the implications of the legislation on the local economy, Rapp explained,” It’s also about powering the economy because data protection and fairness drive trust. And if you want to be trusted by your customers, you need to show that you’re doing this right.

“And those customers aren’t just in Jamaica. So I was at a JAMPRO mission in the UK a couple of weeks ago and we were talking about the Jamaican digital export drive and knowledge export economy. [If] Jamaica is serious about building a knowledge export economy, it has to have a functioning local data protection regime in order to be able to import data from the rest of the world. If you want to trade with the rest of the world, that trade will involve data,” he added.

Rapp, whose company provides consultancy to firms to understand the EU GDPR – now branded the UK GDPR – further informed that for Jamaican companies to engage with large multinationals, they have to pass a vendor assessments. Reiterating the need to have a functioning data protection regime, the Securys founder said that having one is another driver of Jamaica’s economic growth.

Chantalla Griffith, manager – Technical Support Unit at Jamaica Promotions Corporation (JAMPRO), who was the other panelist concurred, sharing that “what compliance does, it opens opportunities”.

“So first of all, there’s the internal opportunity, as was mentioned earlier. When you start going through the process, the mapping of your data, you start to see the points, and you start to see the opportunities to say, ‘Hey, how can I improve this process?’… So it actually helps with corporate efficiency ’’ she outlined.

Griffith added that compliance with the DPA also drives confidence as it creates a due diligence vetting process, similar to Know Your Customer applications in the financial sector, and indicates that Jamaica is open for business.

For Rapp, rather than seeing the data protection process as a burden, organisations should realise that having the data, and security it, should be an asset. In this regard, he called on organisation, whether private or public sector or non-profits to have “a proper risk management programme” to transform data into an asset.

He continued: “There is this wider need to have a broad embrace of data as the future of the way that we do business. So I think we’re trying to get people to that point of seeing this as a necessary thing for export, for governmental trust, for private sector trust, and for family generation.”

So how can organisations generate true value out of the data protection process?

Griffith pointed out that it requires general staff education, highlighting that JAMPRO took an organisation-wide approach to sensitising its employees about the handling of data, including who has responsibility to access specific information. And this, she said, is critical to driving investments into the country.

“…The more entities we have coming out [to comply with the DPA], public entities, private entities, it actually helps to enhance the business environment. Because now that dictates to our global and international partners…Jamaica, as a country, we are ready to take on certain businesses,” she related.

“We can trust that when these partnerships are made, how the information will be handled… that will help us to improve the investments and the type and the level – high-level investments that we’re trying to attract, particularly in the digital space,” she further explained.

Still, Rapp underscored the importance of cross-organisation responsibility, noting that data protection should not just be passed off or dumped on legal and information technology departments, but, like customer service and product quality in any company, should become everyone’s responsibility.

“What that means is that if you’re trying to decide where to focus your effort, frankly, the best place is on sensitisation and training for everybody in your organization who touches data to at least understand a bit better what they’re doing and why they’re doing it,” he said.

In addition, he pointed out that data protection is not a “destination” but a journey that requires continuous improvement.