The new Data Protection Act comes into effect today, providing greater safeguards for the handling of the personal information of Jamaicans held in physical or electronic form.

The legislation, which was passed in 2020, is poised to transform the way organisations manage personal data, including the collection, storage, utilisation, disclosure, and disposal.

Entities, particularly those that process personal information on a daily basis, are required to implement measures to ensure the safety, security, and confidentiality of the data that they handle, and failure to do so could result in them facing harsh penalties, including hefty fines.

These entities include public authorities, financial and educational institutions, health and security services providers, processors of sensitive personal data, among others.

Under the new law, these organisations or individuals, defined as data controllers, are required to be registered with the Office of the Information Commissioner (OIC) effective December 1, and pay an annual fee.

They are also obligated to appoint a responsible individual, such as a Data Protection Officer (DPO) to oversee the controller’s compliance with the Act.

Persons or organisations that process personal data without registering with the OIC could face sanctions.

Recognising that some local entities will not be ready to implement the data security measures on December 1, the Government has granted a six-month grace period for them to register with the OIC.