As a CEO, you have a critical responsibility to ensure your organisation is taking the necessary steps to protect the personal data of your customers, staff and other relevant stakeholders.

With the six-month grace period drawing to a close in May of this year, here are 10 key questions you should be asking to evaluate and strengthen your company’s data protection practices and compliance with the Jamaica Data Protection Act.

# 1. Have we done a thorough assessment to properly identify and manage our risks?

Ensure that a comprehensive gap analysis or risk assessment is conducted to understand your organisation’s unique data protection vulnerabilities. This should cover threats like cyber attacks, insider threats, human error, natural disasters, and more. Develop a risk management plan that prioritizes mitigation strategies for your highest-risk areas. This initial assessment is considered a global best practice and will serve as the foundation to your data protection programme. 

# 2. Are we fully aware of and are meeting our regulatory obligations?

Confirm your organisation is adhering to mandated requirements for data collection, usage, storage, and breach notification. Note that these may vary based on industry and the nature of your operations.

# 3. Are our data protection procedures and policies properly documented?

Ensure you have comprehensive, up-to-date written policies covering areas like data governance, access controls, incident response, and more. These should be clearly communicated and consistently applied across the organization.

# 4. Are we providing effective staff sensitisation and training?

Educate your employees on data protection best practices, security threats, and their role in safeguarding company information. Implement regular training programmes and simulations to reinforce secure behaviors and incident reporting.

# 5. Do we have a robust vendor due diligence process?

Evaluate the data protection controls of any third-party vendors, suppliers, or partners that have access to your customers’, staff’s or other stakeholders’ personal information. Confirm they have appropriate security measures in place and contractually bind them to your data protection standards.

# 6. Have we implemented comprehensive measures to protect both our digital and non-digital information assets?

Always remember that data protection is not just about IT and cybersecurity measures. While it is important to assess the effectiveness of your network security, access controls, encryption, and other technical safeguards, you must also review how you handle and secure physical documents, records, and other analog assets that contain personal data. Ensure you have the right mix of people, processes, and technologies to detect, prevent, and respond to cyber and non-cyber-related threats. Most importantly, make sure there is a comprehensive data backup and disaster recovery strategy in place to protect against data loss or corruption and that will allow you to quickly restore operations in the event of a system failure or natural disaster.

#7. Will we need to appoint a dedicated Data Protection Officer (DPO)?

Depending on the nature of your data processing activities, ie. if you process sensitive personal data, if you are a large-scale processor or if you are a public authority, you may need to designate a DPO to oversee and coordinate your data protection programme. Evaluate whether this specialised support would be more efficient and cost-effective to outsource.

#8. Do we have a data protection governance framework outlined? What are the KPIs?

Establish a data protection governance committee that will outline the key performance indicators to measure the effectiveness of your data protection programme. This could include metrics like data breach incidents, compliance violations, employee training completion rates, and more. Most importantly, ensure that these metrics feed into your broader strategic plan for the organization and that reports are made to you and or the company board at least quarterly. 

#9. How does our data protection strategy align with our business growth plans?

As your organisation expands its operations, customer base, and data footprint, continuously re-evaluate your data protection approach. Identify any gaps or vulnerabilities that may arise and adapt your controls accordingly.

#10. How can we capitalise on the investment made?

Customers are increasingly concerned about data privacy and security, especially in this current environment. Demonstrating a strong commitment to protecting personal information can help build trust, differentiate your business and enhance your brand reputation to gain a competitive edge. Once you have taken the necessary measures to safeguard your company’s personal data, feel free to enlist your communications team to showcase your efforts and reassure your customers that you are the brand of choice to do business with.   

By proactively addressing these 10 critical data protection questions, you can help safeguard your organisation’s personal data, maintain regulatory compliance, build trust with your stakeholders and ensure business sustainability.

Kashta Graham  is an ISO 27001 Certified Information Security Manager and chief executive officer of We Manage Trust