Several companies and churches are reportedly struggling to comply with the Data Protection Act which came into effect last year December, and are yet to make any meaningful progress in implementing the requirements under the regulations, despite the threat of sanctions.
One cyber security expert noted that implementing the requirement is proving to be a major challenge for both large and small businesses for several reasons, which, it seems, the government failed to take into consideration when passing the Act in 2020.
“One concern is overheads. Businesses are going to have to hire persons for training [who are] certified in data protection,” he pointed out.
According to the Act, entities, particularly those that process personal information on a daily basis will be defined as data controllers, and are required to be registered with the Office of the Information Commissioner. These data controllers are obligated to appoint a responsible individual, such as a Data Protection Officer (DPO) to oversee their compliance with the Act.
However, it will come at an added cost to employ a data officer and given the fact that a data controller could face a hefty fine or imprisonment for breach of data, businesses are desperately seeking to find individuals trained in data protection to minimise the risks of sanctions.
“Where do we find the skills, because last time that I checked, there is no degree or diploma in data protection, or data privacy. Some IT degree covers it barely,” said the cyber security expert who was trained overseas.
Even if the larger companies do have the money to hire persons trained internationally, developing countries are also struggling to find data security or cyber security experts.
The World Economic Forum indicated that there is a global shortage of nearly four million cyber professionals and this figure is in keeping with those provided by other entities. The local expert feels it would have been best to start offering data security degrees or diplomas locally to help fill the void and alleviate the burden on companies, prior to passing the Act.
“You have a lot of people with degrees, but they just don’t have the training and the skills and the experience in these areas,” he told the Freedom Come Rain.
But aside from the shortage of professionals, companies will need to consider investing in softwares to store data that they collect. The purchase of hard drives and other storage devices will be added expenses, which over time adds up.
Under the Data Protection Act, entities that process personal information on a daily basis, are required to implement measures to ensure the safety, security, and confidentiality of the data that they handle, and failure to do so could result in them facing harsh penalties.
Programmes for example will need to be installed to ensure that only authorised persons have access to data to avoid penalties.
Based on the cyber security expert’s assessment, the nation just does not have the digital ecosytem at this time to guarantee the requirements under the Act. Still, government officials continue to warn that a grace period has been given for compliance and this will eventually come to an end. After this grace period, sanctions will be applied for non-compliance.
“We will definitely communicate as we move along when it becomes compulsory for all the [data] controllers to be registered and when the regime in relations to sanctions will be in place and effective,” Minister with responsibility for Skills and Digital Transformation, Senator Dana Morris Dixon noted during a post Cabinet press briefing last year December.
“So, December 1 is really just the start of our journey on this road which Jamaica cannot, not be on, especially considering what is happening globally. Protecting people’s privacy is a right and that is what this data protection is all about,” she said at the time.
But, the cyber security expert who spoke on condition of anonymity with the Freedom Come Rain noted that the Act just does not make sense. Others have written editorials in local publications to share their concerns.
“What happens if there is a catastrophe? Where is our data? Where is the back up and recovery? There are so many questions the government has not answered.”
Earlier this month, a hacker dumped 2.7 billion data records, including social security numbers, on a dark web forum, in one of the biggest breaches in history. The data was stolen from background-checking service National Public Data at least four months ago. Personal data of persons living in the U.S., U.K., and Canada were stolen and was being sold. Information such as a person’s name, mailing address, SSN, and other sensitive information, such as names of relatives were made available.
Jamaica has not been spared data breaches. In February 2021, it was revealed that the data from thousands of travellers on the government’s COVID-19 website (JAMCOVID) were exposed. The US specialist online newspaper TechCrunch, which broke the story found that the cloud storage was “unprotected and without password.” This meant personal data, including medical records could be easily accessed.