Small and medium-sized enterprises (SMEs) are said to be among those businesses having a difficulty with meeting the requirements of the now enacted Data Protection Act (DPA) which regulates how entities process, manage and store customer data.

Stuart Hylton, director of assurance & compliance at Symptai Consulting Limited, having worked with a number of these entities to reach compliance, told the Jamaica Observer that the grouping which consist of mainly small businesses are being plagued by several hurdles ranging from having limited resources or just a lack of clarity about regulatory expectations and a general uncertainty about important roles such as data protection officers (DPOs) and privacy officers (POs).

“What I’ve noticed is a combination of issues which at times make the complaint of one SME a bit more unique than that of another. While some bemoan financial challenges, which prevents them from paying for additional training or resources, others may not have sufficient personnel to do the work necessary as another lack the overall skill sets required. These concepts of data protection and privacy rights are still novel to businesses, so it is expected that a lot of them will continue to view it as challenging as they try to put things in place to meet the requirements of the legislation,” Hylton said.

“We often see these businesses becoming overwhelmed by questions like, where do I start? or how do I make this practical?” he also indicated, noting that, “the answer lies in simplifying the journey, breaking it down into manageable steps and equipping teams with the right tools and guidance.”

For larger companies, particularly those in the financial sector which may be a little more familiar with meeting a number of other regulatory requirements from entities such as the Bank of Jamaica or the Financial Services Commission, he said, these are often more inclined to becoming compliant having already being exposed to what is needed to create and implement certain structures and how to leverage the expertise of consultants.

On realising the deficiencies and moving to address some of the issues now faced by SMEs, Hylton said his company has sought to curate a number of solutions designed specifically to meet their needs.

“We have multiple things that we’re doing to help smaller organisations, who may not be able to commit to what some of the larger ones can do. Right now we have a very affordable EPA short course, made available on demand, which entities can through an [online training module] get the facts about what the DPA requires. We also have a DPO, which we offer as a service and whom we have made scalable to meet the need the needs of any size organisation. For smaller entities that need a DPO, this comes as a subscription service which allows them to pay a small amount monthly to gain access to this person who will help them to develop their systems and to ensure that they can complete the steps needed to become compliant,” Hylton said.

Fully supportive of the the need for compliance, the director said that while the legislation provides a clear road map on how companies are to proceed in attaining this, it’s often not a straight forward process but one that requires serious commitment and action.

“Compliance is not just about ticking boxes or avoiding fines. It is about building a culture of respect for people and their data. When businesses put people at the heart of their privacy efforts, they do not just follow the rules, they build trust and safeguard their reputations,” he stated.

Pointing to the successes of recent interventions by his company and others in assisting the group, he said it is now seen where a lot more SMEs are becoming registered.

“Once we get started with an organisation that is one of the first things we do. We urge companies to just get started — while it may seem like it’s too much to get done, if they just get started the work will be completed eventually,” he noted.

President of the Small Business Association of Jamaica (SBAJ) Garnett Reid, in acknowledging the difficulties faced by SMEs, said efforts are currently underway to have more of these operators secure compliance.

“I’m not yet fully aware of how widespread those affected are, but as we seek to make the necessary checks, the association is also now looking to embark on a series of training exercises as we continue to offer our own support to ensure that our members can all become compliant under the Act. In short order we should also be having a meeting with representatives of the office of the Information Commissioner (OIC) to further educate the sector,” he told the BusinessWeek.

Under the DPA, which took effect in December 2023, companies, often categorised as data controllers, have a duty to safeguard the handling of personal information being held for their clients in physical or electronic form.

Of the eight standards prescribed by the legislation for the processing of client data, data controllers as per the seventh standard are required to implement and maintain appropriate organisational and technical measures to protect against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data.

Amid increased reports of breaches in recent times, Information Commissioner Celia Barclay last week issued a notice reminding companies of their duties and responsibilities under the Act. She reminded companies large and small that failure to process personal data in accordance with the data protection standards or to report a breach or contravention, or notify individuals of a potential breach of their personal data, constitutes an offence.

“The enforcement provisions have generally not yet been brought into effect to enable the prosecution of offences under the Act. However, data controllers should be mindful of the high costs, through loss of income or profit from reputational damage, that can be suffered as a result of their failure to protect personal data,” she said in the news release sent to media houses.

In a follow-up this week, efforts by the Business Week to secure an update on when these provisions are likely to take effect, were, however, not immediately addressed as the commissioner, during the time of these checks, was said to be out of office.