Data Protection Act 2020 Jamaica

    Overview

    Jamaica's Data Protection Act, 2020 (DPA) establishes a legal framework to safeguard personal data by regulating its collection, processing, storage, and transfer. The law aims to protect individuals' privacy rights while promoting transparency and accountability in data management. It applies to both public and private entities, aligning with global data protection standards to promote trust and secure data handling practices.

     

    Regulation Summary

    Timeline
    • Enactment: June 19, 2020
    • Effective Date: December 1, 2021
    • End of a two-year transition period, became fully enforceable: December 1, 2023
    What Businesses Are Affected?
    • Any organization processing personal data of Jamaican residents.
    • Public and private sector entities, including international businesses operating in Jamaica.
    • Data controllers and processors handling personal information.
    Exemptions
    • Personal or household data processing.
    • Journalistic, literary, and artistic purposes, under certain conditions.
    • Law enforcement, national security, and regulatory functions conducted by government agencies.
    • Data processed for research, statistical, and historical purposes, provided it does not identify individuals.
    Responsibilities for Businesses
    • Obtain clear and lawful consent before processing personal data.
    • Process data fairly and transparently for a specified purpose.
    • Implement security safeguards to prevent unauthorized access or loss.
    • Allow individuals to access and correct their data.
    • Appoint a Data Protection Officer (DPO) for businesses handling large-scale data processing.

    Report data breaches to the Information Commissioner as mandated.

    Specific Website Owner Responsibilities
    • Provide a clear privacy notice explaining data collection and usage.
    • Allow users to withdraw consent easily.
    • Ensure security measures protect personal data from cyber threats.
    • Report breaches to the Information Commissioner and notify affected individuals where necessary.
    Additional Requirements
    • Restrictions on cross-border data transfers unless adequate protections are in place.
    • Parental consent is required for processing children’s data.
    • Data controllers must maintain records of processing activities for compliance checks.
    Data Subject Rights
    • Access their personal data.
    • Request corrections or deletion of inaccurate data.
    • Withdraw consent at any time.
    • File complaints with the Information Commissioner.
    • Object to data processing under certain circumstances.
    Enforcement
    • Regulated by the Information Commissioner.
    • Fines up to JMD 5 million (~$32,000 USD) for breaches.
    • Criminal liability for serious offenses, including imprisonment.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596