Breaking Down Data Protection for the MSME
On December 1, 2021, sections of the Data Protection Act (“DPA”) were brought into force and since then there have been gradual, but significant developments in the data protection landscape. The Office of the Information Commissioner has been established and the Information Commissioner appointed. More recently the Minister of Science, Energy & Technology, Hon. Daryl Vaz announced that the codes, standards and regulations are being drafted and the Regulations are to be finalized by September 2022. The DPA has a transition period of two years that is set to end in November 2023, during which data controllers of all sizes should be implementing processes and making required changes to ensure compliance with the DPA.
Data Protection and MSMEs
Micro, Small & Medium Enterprises (MSME)s are an important sector of the Jamaica economy. In some shape or form, each MSME is sure to come in contact with personal data as defined in the Act, for example in the collection of customer and employee data. It is therefore important for MSMEs to be alive to issues related to data protection and ensure responsible information management from the start . Data protection is often seen as an intimidating hurdle to be overcome, particularly for MSMEs, where resources are more limited, however, there are steps that MSMEs may take to make data protection manageable and an asset to their business.
What is Data Protection? What is Personal Information?
Generally, data protection refers to strategies and processes used to safeguard the privacy and protection and integrity of data.
Personal Information is defined under the DPA as information (however stored) relating to a living individual, or an individual who has been deceased for less than 30 years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller, and which includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual.
A data controller is defined as any person or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed, and where personal data is processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for the purposes of this Act a data controller
It Starts with the First Step
They say that the best defence is a good offence. In data protection, that offence is responsible and on-going information management. MSMEs should first assess the types of data they process. This can of course be done in house by looking at across different aspects of the business to identify personal data collected in the course of business. Business can also use programs already being utilized by the business such as any accounting software or even Microsoft Excel. This will not only allow the business to make more informed decisions moving forward while also keeping costs low.
Next, the MSME must identify the purpose for the collection of each piece of information that may fall within the definition of personal information. This will assist the business in determining whether first if the collection of that information is necessary, or desirable, and if so the basis for processing each such type of data.
Where data is processed based on consent, the business should review how that consent is sought, obtained and recorded. These simple steps will assist the business in assessing and planning for compliance with the principles of purpose limitation, data minimization, accuracy and storage limitation, al of which are established under the DPA.
Data is processed when it is obtained, recorded or stored the information or in the carrying out of any operation or set of operations (whether or not by automated means) on the information or data, including— (a) organisation, adaptation or alteration of the information or data; (b) retrieving, consulting or using the information or data; (c) disclosing the information or data by transmitting, disseminating or otherwise making it available; or (d) aligning, combining, blocking, erasing or destroying the information.
The next step is for the MSME to review how data is processed in the business and determine any weaknesses or areas of non-compliance. The MSME should prepare a privacy policy to outline what data is processed, how it is processed, the basis for processing and any other procedures such as option for data subjects to opt out, where applicable. This step is crucial for information management. Every business is different and a privacy policy and is a legal document that includes appropriate and relevant representations to data subjects. Therefore, while there are many privacy policies available the MSME must ensure that they have a policy that is best suited to its type and size off business as well as the realities of each business. This step may be financially and administratively burdensome for some MSMEs and so now is the time to lobby through sector groups and individually or collectively seek legal and IT advice in getting sector policies that are well suited, relevant and flexible for MSMEs.
The MSME’s must then ensure employees are trained and knowledgeable about why data protection is important, what their role is in protecting the business by complying and whom they should address with questions or concerns. This goes to the root of employees awareness of the businesses’ data protection policies and procedures. In businesses where employees are intimately involved with information, it is especially important to encourage issue-spotting and reporting procedures to catch any incident at the earliest moment. While not every employee will need to “live and breathe” privacy and data protection, an appreciation and understanding for what is necessary and the consequences of non-compliance are crucial on the part of every employee, and owner.
Data protection is by no means a one size fits all approach. Preparing for the DPA requires time, effort and thoughtful planning. This article identifies some of the key areas for consideration but is by no means exhaustive. They are however important first steps for a MSMEs to take in their journey towards responsible information management and compliance with the DPA.
Data protection is often seen as intimidating, costly, burdensome and some feel this a task for larger institutions, however, this is not so, the DPA applies to data controllers of all shapes and sizes. With that being said, there are steps MSMEs can take towards responsible information management and data protection can even become a part of a businesses’ DNA. Although compliance with the DPA is a legal obligation, responsible information management is sure to be a competitive advantage with the disadvantage of non-compliance includeing the risk of reputational damage and loss of consumer confidence. The investment in data protection can certainly help MSMEs save in the long run and must be seen as an investment in the protection the business’ brand and hard-earned reputation.
