Establishing a base for a data privacy consultancy in Jamaica and the wider Caribbean was the furthest thing from Ben Rapp’s mind when Sagicor Financial Company (SFC) presented him with an opportunity to manage a project, yet that chance encounter served as the springboard for the Securys Limited founder to explore his options in the region.

 “We built the privacy programme for Sagicor across the Caribbean [and] we started with them here in 2021, I think, early 2021, and that then grew from doing some sensitisation and policy work for them here [in Jamaica] into looking after them in the Southern Caribbean with SLI (Sagicor Life Insurance), and then back to here to run the whole of the Caribbean privacy programme,” Rapp told Our Today.

Upon completing the project, Rapp readied for his departure from St Lucia for the United Kingdom. But it was at his farewell party that he had an ‘Aha!’ moment, realising a confluence of factors pointing to an opportunity to build out his operation.

With offices in the United Kingdom, Ireland, Asia and the United States helping companies meet the compliance requirements of the European Union’s General Data Protection Regulation (GDPR), the Securys Founder found that the Caribbean was an underserved and overlooked market. Moreover, his project with Sagicor coincided with the passing and promulgation of Jamaica’s Data Protection Act 2021.

Rapp concluded that with his over 20 years in the technology industry, and providing data protection services through Securys Limited, his services would become a necessity in Jamaica.

“I was coming out here to do the work for Sagicor, I was meeting all these very clever lawyers and thinking, well, there are a lot of lawyers [and] a lot of very smart people on the ground in Kingston. There’s a new law, so there’s obviously an economic opportunity for us. It’s a region that people seem not to have noticed, but obviously, I know about [it] because I live here,” he explained.

“We could do something out here as part of the Jamaican BPO export drive to build a hub in Kingston of smart lawyers and technologists and business analysts and use them to serve what we call GMT minus four to GMT minus six. So Canada, East Coast, US and Latin America,” Rapp continued, underscoring that Securys Jamaica operates as a knowledge process outsourcing provider to companies in the Caribbean and US.

With a low saturation of data protection experts, Rapp began his work. Securys was incorporated in Jamaica on February 1, 2024.

Though he understood the difficulty in paying salaries at the rate of some states in the US, the founder said that the company now pays its staff at internationally competitive rates. Securys has a staff complement of eight full-time employees in Jamaica.

Rapp explained that with the DPA modelled from the EU GDPR, has also worked in the favour of the company.

“They all actually stem from something called Convention 108, which was a treaty signed in 1981 that sets out the founding principles of privacy, and then that became the foundation for the 95 Directive, which became the foundation for the GDPR. So when you look at Jamaica, but you also say look at Barbados, or you look at the people in Bermuda, or you look at Canada’s PIPEDA, all of them have this commonality. That means that having done a GDPR implementation, you’ve got a starting point, but not a finishing line for doing a local implementation in most countries in the world,” Rapp outlined to Our Today.

Asked how Securys differentiates itself from competitors, the founder pointed out that having a localised approach is always necessary.

“One of the things that we find interesting is that very large corporations, and of course, one of the things that’s interesting about Jamaica is it’s both a base for pan-Caribbean corporations, but also a target market for Canadian and larger Trinidadian organisations. They will tend to take an assumption that you can build a one-size-fits-all privacy programme, sometimes based on their home laws, say PIPEDA if you’re talking about Canada, and that that’ll be good enough. And the answer is, well, it isn’t, and you do need to have that local knowledge,” Rapp shared.

“So our whole modus operandi is that we combine the understanding of GDPR and the core pragmatic principles of how you do a privacy programme in reality with that understanding of each local market and what you need to do to reshape your program to suit the local market environment and the local law,” he added.

“So basically, because we’re quite large and because we’ve been doing this a long time and because we do it all over the world, we’ve got, I think, unrivalled experience in building cross-organisational programmes that are properly fitted to all of the countries where those companies operate and take account of and pay respect to the variations in local law, but still enable data to flow around the organisation freely.”