The Jamaican Data Protection Act 2020 is a comprehensive data privacy law that was passed in Jamaica in 2020, keeping in mind the data privacy and security of Jamaican citizens. This Act is quite similar to other major data privacy laws that have been passed in recent years, such as the EU’s General Data Protection Regulation (GDPR) and Brazil’s General Data Protection Law (LGPD).
The Jamaican Data Protection Act creates the legal blueprint for how data within Jamaica should be collected and processed. It also sets the framework for penalties that can be imposed on individuals and organizations who do not comply with the guidelines of this act.
The act defines "data" as any personal information relating to a living individual, while a "data subject" is an identifiable individual who is the subject of the aforementioned personal information, a.k.a. data, or any identifiable individual who has been deceased for less than 30 years.
According to the Jamaican Data Protection Act 2020, all data controllers operating within Jamaica are expected to comply with the following guidelines:
Personal data must only be processed if the data subject consents to the processing of data and this consent has not been withdrawn. For the processing of sensitive data, this consent must be in writing.
Data should be collected only for specified and lawful purposes and shall not be processed in any manner that is incompatible with those purposes.
Personal data collected must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
The data must be accurate and, wherever necessary, kept up to date.
Personal data processed for any purpose shall not be kept for longer than is necessary.
Personal data must be processed in accordance with the rights of data subjects; further, a person shall be regarded as contravening the Act by processing personal data for purposes of direct marketing without the consent of the data subject.
Appropriate technical and organizational measures will be taken against unauthorized or unlawful processing and accidental loss or destruction of or damage to personal data.
Personal data must not be transferred to a state or territory outside of Jamaica unless that state or territory ensures an adequate level of protection for the rights and freedoms of the data subjects.
With ManageEngine's comprehensive suite of IT management solutions, you can ensure that compliance requirements such as data collection, data security, and audits are met with the utmost care and attention to detail. With our solutions, Data Protection Act compliance will seem like a cool summer breeze on the sandy shores of Kingston.
Appoint an information officer who will bear the responsibility of ensuring compliance when it comes to data processing and collection. Ensure that the data subject provides written consent to the processing of their data.
Identity and access management tools will help to establish role-based access controls so that only authorized personnel will be able to handle sensitive data.
Access Manager Plus: Create custom roles with preset permissions to ensure users have only the required access to perform their tasks.
M365 Manager Plus: Establish role-based access control for Microsoft 365 administration.
Endpoint Central: Grant permissions of your choice based on multiple predefined and/or tailor-made roles using role-based access control.
AD360: Select any combination of management, auditing, reporting, and alerting tasks concerning AD and Microsoft 365, and delegate them by creating custom help desk roles.
Collect and store only the data that is required for a specific and lawful purpose—and the processing of this data should be within lawful means.
Locate and delete junk data, including obsolete and duplicate files, using data discovery tools.
- Identify anomalous data access, collection, modification and deletion.
- Locate and delete junk data, including stale, duplicate, and orphaned files.
Personal data collected must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Use a real-time alert mechanism to be notified about unauthorized access, modification, or deletion of files with confidential data.
- Keep personal and corporate data separate on your devices.
- Delete users' personal data from your servers, revoking access to that data.
Password Manager Pro: Prevent unauthorized users from exploiting privileged access to personal data repositories.
Password Manager Pro: Prevent unauthorized users from exploiting privileged access to personal data repositories.
ADAudit Plus: Audit events to identify unauthorized permission changes related to personal data.
- Identify users with full control access to files shared on Windows.
- Locate all files and folders shared with multiple users.
PAM360: Ensure that only authorized users can remotely access sensitive data for specific time periods.
Ensure that the data collected and stored is accurate and regularly updated.
Schedule regular scans and audits to monitor the integrity of the data and periodically delete outdated data.
Endpoint Central: Schedule device scans to ensure the availability and integrity of personal data.
Data Security Plus: Monitor and delete incorrect or outdated data.
Browser Security Plus: Scan your active browsers to ensure that personal data stored as cookies or sessions is protected.
Endpoint DLP Plus: Quickly recall data information on data subjects when requested for modification or deletion.
Data kept for long periods of time should be deleted when it reaches the storage threshold.
Locate and audit databases to keep the data relevant and delete outdated records.
Data Security Plus: Identify, locate, and delete incorrect or outdated data.
Log360: Audit databases to determine how long data has been stored and delete records once the storage threshold is reached.
Data subjects should be informed when their personal data is being processed for direct marketing. They also have the right to rectify any inaccuracy in this data as well as request the erasure of their data.
Monitor data activity and access, and notify your data security officer if the integrity of the data has been compromised.
Endpoint Central: Gain visibility into users or devices accessing business services and data.
Log360: Send alerts when unauthorized access attempts are made.
EventLog Analyzer: Audit all activity on systems that store personal data, monitor changes made to the data, and notify security admins if the integrity of the data has been compromised.
- Audit file and folder actions to maintain an audit trail of accesses.
- Trigger email alerts to admins when suspicious activity is detected.
- Detect and contain ransomware to prevent data loss.
- Detect and prevent the leakage of business-critical files via USB devices or email.
Endpoint DLP Plus: Limit data access to essential and relevant personnel based on security clearance and task-specific needs.
Technical and organizational measures must be taken to ensure the integrity, confidentiality, and security of data, and also to prevent unauthorized or unlawful processing of data, as well as destruction or damage to data.
Detect vulnerabilities and unknown external attacks using custom correlation rules in log management tools.
- Check periodically if your organization's assets are compliant with corporate configurations.
- Securely distribute business-critical documents to authorized individuals and devices.
ADManager Plus: Email or export reports whenever required for security assessments and audits.
Endpoint DLP Plus: Generate reports with actionable insights to audit sensitive information and its applicable policies.
Data transfer outside of Jamaica must only be done to those states and territories that ensure protection for the rights and freedoms of the data subjects.
Monitor, authorize, or block all data activity, including movement of data between devices, to identify potential breaches ahead of time and ensure data security.
Endpoint Central: Set alerts in case a device does not check in with the server over a predefined period of time.
Log360: Centralize and correlate security data to identify potential data breaches instantly.
- Monitor and block the movement of personal data to USB devices or as email attachments.
- Reduce incident response time with instant alerts.
- Generate alerts and reports on unwanted access or anomalies in file access and modification.
- Maintain a document of all file and folder deletion actions.
Endpoint DLP Plus: Configure policies to restrict the movement of sensitive information to peripheral devices.
Talk to our experts to get more information on how your organization
can meet the JDPA compliance mandate.
Fully complying with the Jamaican Data Protection Act requires a variety of solutions, processes, people, and technologies. The solutions mentioned above are some of the ways in which IT management tools can help with some of the Act's requirements. Coupled with other appropriate solutions, processes, and people, ManageEngine's solutions help achieve and sustain compliance with the Act. This material is provided for informational purposes only and should not be considered as legal advice for Jamaican Data Protection Act compliance. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.