The Data Privacy Act: 10 Questions Leaders Ask Most
Leaders in Jamaica are being asked harder questions about privacy than ever before: What data do we hold, why do we have it, who can see it, and what happens when something goes wrong? Whether the pressure comes from customers, regulators, banks, parent companies, or procurement teams, the same theme shows up again and again: privacy is now a governance and risk issue, not just an IT task.
This guide answers the 10 questions leaders ask most about the Data Privacy Act (often discussed locally in the context of Jamaica’s Data Protection Act) and translates them into practical, board-ready actions.
Note: This article is general information for Jamaican organisations and is not legal advice.
1) “What does the Data Privacy Act actually require us to do?”
At a leadership level, the Act is about responsible handling of personal data across its full lifecycle: collection, use, sharing, storage, retention, and disposal. Most operational requirements fall into a few executive-friendly themes:
Be clear and honest about what you collect and why (transparency).
Collect only what you need (data minimisation).
Protect it (appropriate security and access controls).
Keep it accurate and up to date (data quality).
Do not keep it forever (retention and secure disposal).
Respect individual rights (requests to access, correct, object, delete where applicable).
Be accountable (document decisions, train staff, manage vendors, be able to prove compliance).
If your organisation already treats privacy as part of governance, risk, and compliance (GRC), you are usually halfway there. The gap is typically evidence, consistent processes, and ownership.
2) “Does it apply to us, even if we are small or not ‘tech’?”
Leaders often assume privacy laws only apply to banks, telecoms, or big tech. In practice, most organisations process personal data. If you handle any of the following, assume the law is relevant and confirm scope:
Employee data (payroll, leave, disciplinary records)
Customer records (billing, delivery, support)
CCTV footage and visitor logs
Marketing lists (email, WhatsApp, SMS)
Patient or client information (especially sensitive categories)
Online identifiers (web forms, cookies where applicable)
Size does not remove accountability. Small and medium-sized entities usually need a simpler program, but still need a program.
If you want a regulator reference point and guidance updates, monitor the Office of the Information Commissioner (OIC) Jamaica for public education materials and developments.
3) “Are we a controller or a processor, and why should I care?”
This question matters because it changes where the primary compliance burden sits.
A controller decides the purpose and means of processing (why and how personal data is used).
A processor processes personal data on behalf of a controller (for example, payroll service providers, cloud hosting, outsourced call centres).
Many Jamaican organisations are both, depending on the activity. For example, you are a controller for HR records, but a processor if you run a customer support platform for another company.
From the C-suite perspective, the difference usually shows up in:
Contracting: processors need clear contractual instructions, confidentiality obligations, and security expectations.
Risk ownership: controllers must ensure notices, lawful basis, rights handling, and vendor oversight are in place.
Incident management: responsibilities to investigate, contain, and notify depend on role and contract.
A practical way to clarify this is to pick three high-volume processes (HR, customer onboarding, marketing) and force a simple decision: controller, processor, or both.
4) “What personal data do we have, where is it, and who can access it?”
If leaders can only answer this with “IT has it” or “it’s in the system,” you have a governance risk.
A defensible privacy program starts with data visibility:
What data you collect (categories)
Where it lives (applications, email, shared drives, paper files)
Who can access it (roles, vendors, third parties)
How long it is kept (retention)
How it moves (sharing, exports, cloud sync)
This is usually captured in a data inventory (often called a record of processing activities). You do not need perfect detail on day one, but you do need a credible baseline.
What leaders want to know | What you should ask for internally | Typical owner |
“What data do we hold?” | Data inventory by business process | Compliance / Risk with business units |
“Where is it stored?” | System list (SaaS, on-prem, paper), data locations | IT with process owners |
“Who can see it?” | Role-based access review, admin accounts, shared mailbox controls | IT Security / IT Ops |
“Who else gets it?” | Vendor list, integrations, data sharing map | Procurement / Legal / IT |
“How long do we keep it?” | Retention schedule tied to legal and operational needs | Legal / Records / Compliance |
5) “What is our lawful basis for using personal data, especially for marketing and HR?”
Leaders usually do not need to memorise legal bases, but they do need to ensure the organisation has made clear decisions and can explain them.
Common risk areas in Jamaica include:
Marketing lists built over time with unclear consent and weak opt-out controls
Employee monitoring (CCTV, device monitoring, GPS tracking) without clear policy boundaries
Customer onboarding where forms collect “nice to have” data that is not necessary
A practical leadership test is: for each major process, can we answer in plain language:
Why do we need this data?
What would break if we stopped collecting this field?
Who is the audience for the privacy notice (customer, employee, visitor)?
How do we handle objections and opt-outs?
When leaders require business units to justify collection and retention, privacy compliance improves quickly, and so does data quality.
6) “What rights do individuals have, and what does it mean operationally?”
Rights are where privacy becomes real for customers and employees. Leaders should expect requests to increase as awareness grows.
Operationally, you need a documented process to:
Receive requests (email, web form, in-person)
Verify identity (proportionate checks)
Search across systems (including email and paper files)
Respond within the required timeframe
Log decisions and outcomes (for accountability)
Two leadership-level risks show up repeatedly:
Over-disclosure: staff release data to the wrong person because identity checks are weak.
Under-response: the organisation misses deadlines because requests are not routed, tracked, and owned.
A strong approach is to treat rights requests like customer complaints: single intake channel, ticketing, escalation rules, and weekly reporting until stable.
7) “What counts as a data breach, and what do we do in the first 24 hours?”
A “breach” is not only hacking. Many incidents are everyday operational failures:
Email sent to the wrong recipient
Lost laptop or USB drive
Misconfigured cloud storage
Inappropriate internal access (employee snooping)
Third-party vendor compromise affecting your data
Leaders should ask for a breach plan that prioritises speed and clarity, not technical perfection.
In the first 24 hours, the organisation should be able to:
Contain and secure (disable accounts, recall emails if possible, isolate systems)
Preserve evidence (logs, screenshots, timelines)
Assess impact (what data, how many people, sensitivity)
Decide communications (internal, customers, partners, regulators if applicable)
Document decisions (what you knew and when)
If you want a globally recognised incident handling playbook to align your process, NIST SP 800-61 (Computer Security Incident Handling Guide) is a practical reference used worldwide.
8) “Can we use cloud services hosted overseas, and what about cross-border transfers?”
Most Jamaican organisations use overseas cloud providers in some way (email, HR platforms, accounting tools, CRMs). The risk is not “cloud equals non-compliance.” The risk is unmanaged cross-border processing.
Leaders should ensure three things are true:
You know which vendors process personal data and where data may be stored or accessed.
Contracts address privacy and security (instructions, confidentiality, sub-processors, incident notification, return or deletion at end of service).
You have a transfer assessment approach that matches your risk profile (especially for sensitive data).
In procurement, privacy questions should be standard, not a special request. If a vendor cannot explain data locations, security controls, and breach notification timelines in plain language, treat it as a red flag.
9) “Do we need a DPO, and what governance should the board expect?”
Titles vary (Data Protection Officer, Privacy Lead, Compliance Officer). The leadership requirement is consistent: someone must own the privacy program, with authority to coordinate across departments.
Effective governance usually includes:
A named privacy owner and defined responsibilities
A cross-functional working group (Legal, HR, IT, Security, Operations, Procurement)
Privacy policies that match reality (not copied templates)
Role-based training (frontline, HR, IT admins, executives)
A reporting cadence to senior leadership and the board
Board-level reporting should focus on risk and progress, not jargon. A simple quarterly dashboard can cover:
Number of rights requests received and closed
Training completion rates by department
High-risk vendors reviewed (and gaps closed)
Open incidents and lessons learned
Status of top compliance deliverables (inventory, retention, notices, contracts)
10) “If someone challenges us, what proof will we need?”
Leaders often underestimate how quickly a privacy question turns into a request for documentation. Proof matters in:
Regulatory inquiries
Customer and partner due diligence
Cyber insurance and audits
Mergers, acquisitions, and financing
Think in terms of a “compliance evidence pack.” You do not need hundreds of documents, you need the right ones, kept current.
Area | Evidence that typically holds up well | What it demonstrates |
Governance | Privacy roles, reporting, risk register entries | Accountability and oversight |
Data visibility | Data inventory and system list | You understand your processing |
Transparency | Privacy notices (customer, employee, CCTV) | Fair processing and disclosure |
Rights handling | Request logs, templates, response workflow | Ability to operationalise rights |
Vendor management | DP clauses, due diligence notes, breach terms | Control over third-party risk |
Security | Access reviews, MFA enforcement, backup and patch records | Appropriate safeguards |
Retention | Retention schedule, disposal records | Storage limitation in practice |
Incidents | Incident register, post-incident reviews | Learning and continuous improvement |
When leaders ask “are we compliant,” the most credible answer is not a slogan. It is a short set of documents and metrics that show consistent execution.
A leader’s practical next step (without turning this into a multi-year project)
If you want momentum within 30 to 60 days, focus on the controls that reduce risk fastest:
Confirm your top 10 data processes and build a baseline inventory.
Fix transparency gaps (privacy notices for customers, employees, and CCTV where applicable).
Implement a single intake channel for rights requests and train frontline staff.
Review your highest-risk vendors (payroll, HR, CRM, hosting) and strengthen contracts.
Run a tabletop breach exercise with executives so roles are clear before an incident.
Where PLMC can help
Privacy programs often stall because leadership teams are busy and privacy work spans multiple departments. Privacy & Legal Management Consultants Ltd. (PLMC) supports Jamaican organisations with practical implementation and governance alignment, including data protection implementation, training sessions, cyber security and GRC integration, and risk assessment tools.
If you want a clear view of your biggest gaps and the fastest path to closing them, you can request a free consultation through Privacy & Legal Management Consultants Ltd..