Building a company data protection regime

BitDepth

"Now is the key time to prepare, to set the groundwork in implementing a good data protection and cybersecurity strategy in anticipation for a change in the regulatory environment," said Julian Hayes, managing director of Veneto Privacy Services, based in Dublin, Ireland.

Hayes has done consultancies in Jamaica when businesses in that country came to terms with the robust legislation in place to protect data and customers.

Jamaica brought its Data Protection Act into law in June 2020 and by December 2021 had appointed Celia Barclay as its first Information Commissioner.

Jamaica gave businesses operating in that country two years to become compliant and register with the Office of the Information Commissioner.

During that time, Barclay will be bringing the operations of her new office into force.

"The biggest thing that concerns businesses in Jamaica is not being preparedness for a cyberattack," Hayes explained.

"There's an expectation from customers that the business is fully up to speed and prepared to prevent cyber attacks because of regulatory fines."

"Criminal investigations are a primary threat, but the reputation of the business is important, and it's critical to maintain the best position to respond to cyber attack."

Jamaica's Data Protection Act legislates fines up to $222,000 (JA$5m) and prison terms of up to ten years for infractions under its laws.

Barbados appointed its data protection commissioner in July 2021.

TT's Parliament recently granted the Government an 18-month extension – over the objections of the Opposition – to prepare amendments to local data protection law. It's been 12 years since the first laws for data protection laws were partially proclaimed.

Among the services, that Veneto provides for businesses is the data protection officer as a service.

"Some companies obviously have a preference to have an internal officer, but depending on the sector that you're in, a services company can provide the services of a data protection officer."

Veneto's remote officers monitor compliance within an organisation, and provide solutions to enhance privacy rights, training employees, minimising the data that the business collects and implementing appropriate security controls across the data sets that the company is using.

When Veneto discusses cybersecurity services, there's usually some awareness of potential weaknesses and liabilities.

"Clients are already looking to get a solution. They might want a better briefing on the law and what it means for their sector specifically. Whether it's the banking sector or a retail operator, there will be different data protection risks relating to the data they are processing."

"They are definitely preparing and not at the wait-and-see stage. They want to make an investment and but they don't want to be oversold.

"You need to make an investment that's suitable to the proportion of risk that you face. If you're a medical company and you're handling very sensitive medical data for hundreds of thousands of patients, you're going to be a prime target. Here in Ireland, we had a major cyberattack three years ago on the state health care service and they shut down the health service for about two weeks."

Hayes has found that many businesses overlook affordable, straightforward protections for their networks that are relatively easy to implement.

"On the last project I did, there was a big issue around endpoint encryption. There was no device encryption for laptops there were a lot of staff working remotely with no protection for the laptop if it got lost or stolen. The data could be easily taken off the drive if the device was taken."

"We recommended installing very basic endpoint security which didn't amount to any more than US$15 per license for each machine. But that gave that assurance that information was backed up and the device was secured."

Hayes recommends that the first step for businesses is to map the processes within the organisation.

"If you're a pharmacy provider, you have retail presence, you're going to have data collection within the stores, you're going to be receiving prescription information from doctors. Map each of these processes and be clear which are low-risk and which are high-risk."

"If you have CCTV in the store, that's also capturing personal data with images. You need to understand where it's being stored who has access to it and how secure it is."

"Map your organisation's data processing, make a basic worksheet so you can understand where you are and can explain what you do."

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there.