Resources
Jamaica’s Data Protection Act, 2020 (DPA 2020) establishes a comprehensive framework for the lawful processing of personal data, ensuring that individuals have greater control over their personal information while requiring organisations to handle data responsibly, fairly, and securely. The Act was passed in June 2020 and became fully enforceable on 1 December 2023, following a three-year transition period to allow public and private sector entities time to achieve compliance. However, the enforcement mechanisms have not yet been brought into effect, meaning that while organisations are expected to comply with the legislation, regulatory enforcement has not yet commenced.
The DPA 2020 applies to all entities operating in Jamaica, including government agencies, businesses, and foreign companies that process personal data within the jurisdiction. The Act is closely modelled on the UK Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR), ensuring that Jamaica aligns with international standards for data protection and privacy. At the core of the Act are seven key data protection principles, which ensure that personal data is processed in a fair, transparent, and responsible manner. Organisations are required to collect data only for specific, lawful purposes, ensuring that it is adequate, relevant, and limited to what is necessary. Data must be kept accurate and up to date, stored securely to prevent unauthorised access, and retained only for as long as necessary before being securely deleted or anonymised. Importantly, individuals must be able to exercise their rights over their personal information, ensuring they can access, correct, or request the deletion of their data where applicable.
To empower individuals, the Act grants several data subject rights, allowing them to request access to their personal data, correct inaccuracies, and demand the deletion of their information under certain conditions. Additionally, individuals have the right to object to how their data is being processed, particularly for direct marketing, and can exercise data portability, allowing them to transfer their personal data between organisations in a structured format. For organisations, the Act imposes strict obligations to ensure compliance with data protection standards. Entities that process personal data must have a lawful basis for doing so, whether through explicit consent, contractual necessity, or legal obligation. Larger organisations and those handling sensitive personal data are required to appoint a Data Protection Officer (DPO), who will oversee compliance and risk management. Additionally, organisations must implement appropriate security measures to prevent data breaches and, where a breach occurs, must report it to the Office of the Information Commissioner (OIC) and notify affected individuals if the breach poses a significant risk.
Although the Act is now formally in force, its enforcement mechanisms are not yet operational. The Office of the Information Commissioner (OIC) has been established as the regulatory authority responsible for monitoring compliance, investigating complaints, and enforcing the law. Once enforcement begins, the OIC will have the power to conduct audits, issue enforcement notices, and impose penalties on non-compliant organisations. The penalties under the Act are significant, with fines reaching up to $5 million JMD or imprisonment for up to ten years, depending on the nature and severity of the offence. However, as of now, no fines or legal actions are being imposed, as the enforcement mechanisms have not yet been activated. The Act also places restrictions on international data transfers, ensuring that personal data is not sent outside Jamaica unless the receiving country provides an adequate level of data protection or other safeguards are in place, such as binding contractual agreements. This provision is intended to protect individuals’ data when it is processed internationally, particularly by multinational companies.
