Amid growing concerns about challenges implementing the Data Protection Act 2020 among Micro, Small & Medium-sized Enterprises (MSMEs), the Jamaica Business Development Corporation (JBDC) has moved educate the sector on the importance and benefits of compliance.
During his feature presentation at the JBDC’s Virtual Biz Zone webinar on Tuesday, April 15, 2025, Andre Palmer, Head of Practice at UK-based data privacy consultancy Securys Limited, said many Jamaican MSMEs equate registering with the Office of the Information Commission (OIC) with full adherence to the Data Protection Act (DPA). But with enforcement looming, he stressed that real compliance requires fundamental changes in how businesses collect, use, and protect personal data.
“Paper compliance won’t cut it,” he said. “If you’re not living out the standards in your day-to-day operations, you’re not compliant.”
Failing to implement these standards could leave them vulnerable to legal action, reputational damage, and penalties once enforcement begins in full.
The law mandates that organisations clearly explain their data practices to customers. “You have to tell individuals what you’re doing with their data, why, how long you’ll keep it, and if you’ll share it with third parties,” Palmer said, referencing Standard 1 of the JDPA which speaks to Lawfulness, Fairness & Transparency.
Purpose Limitation, as the 2nd standard under the DPA, mandates that personal data should only be used for the specific reason it was collected. Using data for other purposes requires new, explicit consent. “Purpose limitation is a really tricky one because organisations have a way of collecting information for one purpose and then using it for something else. Now under the JDPA, we as organisations have a responsibility to only use the personal data for the very limited and specific purpose for which you’ve collected it”, Palmer explains.
Excessive data collection also drew fire. Standard three – Data Minimisation says only collect the data you absolutely need. “So if I come to a supermarket to do my weekly shopping but at checkout, you’re asking me the average people in my home; You’re asking me about my mother’s maiden name; You’re asking me about the average income of my household; I’m sure you’ll find that odd because you’re thinking well what does that information have to do with me just wanting to buy some milk and some eggs and some bread and some cereal.”
Accuracy, which is the 4th Standard, says that organisations have a responsibility to ensure that the personal data that they’re collecting is kept accurate and up-to-date.
He also highlighted problematic retention practices. “Companies keep everything forever because cloud storage is cheap – even ex-employee records from 15 years ago,” Palmer noted. While some data like financial records may need seven-year retention due to statutory requirements, he urged businesses to regularly audit their databases: “If you can’t justify why you’re keeping certain information, delete it.”
The JDPA arms individuals with new rights to access, correct, demand deletion of their data, or object to the use of their data – Standard 6. Palmer noted that organisations must respond to such requests within 30 days.
“Standard seven talks about appropriate safeguards. It means that organisations are now required to put the appropriate technical and organisational measures in place to keep the data safe”, the expert added, “You’re protecting the data against unlawful processing, accidental loss, damage or destruction.”
For international businesses, Palmer stressed the importance of verifying foreign partners’ data protection standards. “You can’t just ship Jamaicans’ data overseas without ensuring equivalent safeguards exist,” he said, referencing the International Transfers requirement.
He encouraged MSMEs to see data protection as a competitive advantage. Rather than viewing the JDPA as a burden, Palmer encouraged businesses to embrace it as a trust-building opportunity. “Proper data protection can differentiate your brand and open doors for international trade,” he said, noting that global partners increasingly demand proof of compliance.
In June 2024, the JBDC and Secury’s Limited signed a Memorandum of Understanding (MOU) to:
1) Promote education and assistance to the MSME sector in the area of Data Protection; and,
2) Collaborate on selected projects to enable access to data privacy services at an affordable cost to JBDC’s clients.
-END-
