Data Protection Compliance: 10 Common Gaps to Fix
Data protection compliance often fails in the same way across industries: organisations write a policy, add a website notice, and assume they are “covered”. But the Jamaica Data Protection Act, 2020 (and good privacy practice generally) is operational. It expects you to know what personal data you hold, control it properly, and prove you are doing what you say.
If you are trying to strengthen data protection compliance in 2026, the fastest route is not starting from scratch. It is finding and fixing the common gaps that create real-world exposure, including customer complaints, employee grievances, regulator attention, and avoidable security incidents.
Below are 10 common gaps we see in day-to-day compliance programmes, plus practical fixes and the evidence you should have on file.
How to use this list (and get value quickly)
Treat this as a working diagnostic, not a theoretical checklist. For each gap, ask two questions:
Is this true in our organisation today?
If we had to prove compliance next week, what documents, logs, or records would we show?
That “proof” mindset is the difference between a privacy programme that looks good on paper and one that holds up under scrutiny.
If you want a grounding in the law itself, review PLMC’s guide to the Jamaica Data Protection Act explained for businesses and keep this article as your operational gap-finder.
At-a-glance: the 10 gaps and what “fixed” looks like
Common compliance gap | What it looks like in practice | What to fix (practical outcome) | What you should be able to show (evidence) |
1) No clear accountability | “IT handles privacy” or “Legal wrote a policy” | Named owners for privacy decisions and escalation | Role assignment, governance terms of reference, reporting line |
2) No data inventory (you do not know what you hold) | Teams cannot list systems, data types, or sharing | A living data map and system register | Data inventory, processing register, data flow notes |
3) Lawful basis is unclear (especially consent) | Consent is used by default, even for employment/contract | Lawful basis chosen per activity, documented | Lawful basis log, consent records where used |
4) Privacy notices are generic or outdated | Notice does not match actual collection and sharing | Notices aligned to real processing | Updated notices, version control, publication record |
5) Rights requests are not operational | Staff do not know how to handle access/correction requests | A repeatable DSAR process with owners and timelines | DSAR procedure, request log, response templates |
6) Retention is undefined (data kept “forever”) | Old customer and HR files kept without purpose | Retention schedule and secure disposal | Retention schedule, deletion logs, disposal certificates |
7) Security controls do not match risk | Shared accounts, weak access control, poor monitoring | Appropriate technical and organisational measures | Access reviews, MFA/encryption status, security policies |
8) Vendor and processor oversight is weak | No due diligence, weak contracts, no monitoring | Supplier governance tied to personal data risk | Due diligence records, contract clauses, review cadence |
9) Cross-border transfers are not managed | Cloud use with no transfer assessment | Transfer risk assessed and documented | Transfer register, contractual measures, risk assessment |
10) Breach response is untested | A plan exists but nobody has rehearsed it | Clear playbook, trained roles, tabletop exercises | Incident response plan, drill report, incident log |
1) Gap: No clear accountability (privacy has no real owner)
A common pattern is that privacy is treated as a “task” rather than a governance function. A policy is created, but no one is accountable for approving new data uses, deciding retention, handling complaints, or escalating incidents.
Fix: Assign explicit ownership for privacy decisions. This does not have to be complex, but it must be real. Define who approves new processing (for example, new apps, new marketing campaigns, new HR tools), who signs off privacy notices, and who leads incident escalation.
“Fixed” looks like a privacy governance structure that can answer, quickly, “Who decides?” and “Who signs?” when personal data issues arise.
2) Gap: No data inventory (you cannot protect what you cannot see)
Many compliance problems are downstream of one root issue: the organisation does not have a reliable inventory of personal data. Without it, you cannot confidently answer:
What personal data do we collect (customers, staff, vendors, visitors, students, patients)?
Where is it stored (email, shared drives, HR systems, cloud platforms, paper files)?
Who do we share it with (banks, insurers, payroll, couriers, marketing providers, cloud vendors)?
Fix: Build a practical data inventory that matches how the business actually operates. Start with high-impact areas: HR and payroll, customer onboarding, payments, marketing lists, CCTV, and any sensitive data. Then document systems, data categories, purposes, recipients, and retention.
If you need a structured starting point, PLMC’s Privacy and Data Protection: a practical checklist complements this gap analysis well.
3) Gap: Lawful basis is unclear (consent is overused, or not recorded)
Organisations often lean on consent because it feels simple. In reality, consent has conditions and can be difficult to rely on in employment contexts or where services are conditional.
Fix: For each processing activity, decide and document the lawful basis that fits the context, then implement the right operational controls. If you rely on consent, you should be able to prove it was informed, specific, and recorded, and that withdrawal is possible and respected.
“Fixed” looks like decisions that are consistent. Marketing and cookies do not get treated the same way as payroll. HR does not copy and paste consumer consent language. Operational teams can explain why data is collected and what makes it lawful.
For reference reading on privacy fundamentals in Jamaica, see Data Privacy in Jamaica: key principles and rights.
4) Gap: Privacy notices are generic, outdated, or do not match reality
A privacy notice is not just a web page. It is your public explanation of what you do with personal data. The common failure is misalignment: the notice says one thing while operations do another (new vendors, new sharing, new retention periods, new marketing practices).
Fix: Treat notices as controlled documents, not marketing copy. Update them when your processing changes. Make sure they reflect actual categories collected, purposes, recipients, cross-border transfers where applicable, and how people can exercise rights.
“Fixed” looks like version control, a review cadence, and internal sign-off so that the notice stays accurate.
5) Gap: Data subject rights requests are not operational (and frontline staff are unprepared)
The right to access, correction, and other rights become real when someone actually makes a request. Many organisations have no repeatable way to identify a request, verify identity, route it to the right system owners, and respond consistently.
Fix: Implement a rights handling workflow that is simple enough for daily use. Define who receives requests, how you verify identity, which teams search which systems, when legal review is required, and how you deliver responses securely.
“Fixed” looks like a request log, a standard operating procedure, and tested templates. It also looks like training for customer service, HR, and reception staff, because rights requests often start informally.
6) Gap: Retention and disposal are undefined (so data accumulates)
If you do not set retention rules, you default to indefinite storage, which increases risk without increasing value. It also makes rights handling harder and increases breach impact.
Fix: Create a retention schedule that is tied to business purpose and any applicable legal or regulatory requirements, then implement deletion and secure disposal in practice. Pay attention to the places data tends to linger: shared drives, email inboxes, exported spreadsheets, and archived backups.
“Fixed” looks like documented retention periods, a process for disposal, and evidence that disposal actually happens.
7) Gap: Security controls do not match the real risk
Privacy and cybersecurity overlap heavily in day-to-day operations. Even where an organisation has “security tools”, common gaps appear in the basics: access control, shared accounts, weak passwords, lack of multi-factor authentication (MFA), poor offboarding, and unclear ownership for sensitive datasets.
Fix: Align security controls to the sensitivity of the data and the realities of access. Focus on measures that reduce common causes of incidents: least privilege access, joiner-mover-leaver discipline, MFA for remote access and critical systems, encryption for portable devices, secure configuration for cloud services, and monitoring that someone actually reviews.
A useful external reference for incident handling practices is the NIST Computer Security Incident Handling Guide (SP 800-61).
Also keep in mind that breaches are not only an IT cost. IBM’s widely cited annual research on breach impacts (global data) highlights that incident costs can be significant and prolonged, including legal work, response, and lost business. See the IBM Cost of a Data Breach Report.
8) Gap: Vendor and processor oversight is weak (supply chain exposure)
A large portion of personal data handling happens through third parties: cloud hosting, payroll, marketing platforms, customer support, debt collection, security companies, and consultants. The gap is usually not “we have vendors”, it is “we have no proof we assessed them, contracted properly, or monitored them.”
Fix: Build a vendor oversight process that is proportional to risk. High-risk vendors should trigger stronger due diligence, clearer contract requirements, and periodic review. Contracts should clearly define what the vendor can do with personal data, how they secure it, how incidents are reported, and what happens when the engagement ends.
“Fixed” looks like a vendor register that flags personal data exposure, a due diligence record, and contract clauses that match your expectations.
9) Gap: Cross-border transfers are not managed (especially with cloud services)
Even small organisations often transfer data internationally through email hosting, file storage, HR platforms, CRM systems, and support tools. A common compliance gap is using these services without documenting where data may go, what protections apply, and what risks remain.
Fix: Document cross-border data flows as part of your inventory, then assess and record the safeguards you rely on (contractual terms, security measures, and vendor controls). Where transfer risk is higher, document the rationale for proceeding and any additional mitigations.
“Fixed” looks like a transfer register tied to systems, not guesswork.
10) Gap: Breach response exists on paper, but is untested
When an incident happens, the real question is whether your organisation can respond calmly and consistently: contain the issue, preserve evidence, assess what data was affected, decide whether notification is required, and communicate responsibly.
The common gap is a plan that has never been rehearsed. People do not know who calls whom. The decision-making chain is unclear. The organisation scrambles, and delays increase harm.
Fix: Convert your incident response plan into a practical playbook and test it. Run tabletop exercises using scenarios that match your operations (lost laptop with HR files, misdirected email, exposed cloud folder, ransomware, third-party compromise). Include legal, IT, operations, HR, and communications.
“Fixed” looks like clear roles, an incident log, evidence preservation steps, and a post-incident review process that improves controls.
A realistic prioritisation approach (so you do not stall)
If you try to fix everything at once, many programmes fail. A practical way to sequence improvements is:
Visibility first: data inventory, ownership, and high-risk systems.
Control next: security access, vendor contracts, retention, and rights handling.
Assurance ongoing: testing, audits, training refreshers, and incident drills.
PLMC’s Data Protection Jamaica: compliance roadmap for 2026 is a helpful companion if you want a quarter-by-quarter plan.
Frequently Asked Questions
What is the most common reason organisations fail data protection compliance reviews? The most common failure is lack of operational evidence. Policies exist, but there is no data inventory, no request log, no vendor due diligence record, no retention proof, and no tested incident process.
Do small businesses in Jamaica need a full privacy department to comply? Typically, no. Most SMEs can improve compliance significantly by assigning clear accountability, documenting a simple data inventory, tightening vendor management, and implementing a basic rights and incident process. The key is consistency and proof.
How often should we update our privacy notice? Update it whenever your processing changes in a meaningful way (new data types, new purposes, new sharing, new vendors, new cross-border transfers), and also set a routine review cadence so it does not become outdated.
What should we do first if we suspect a data breach? Contain the incident, preserve evidence, and trigger your internal escalation process quickly. Then assess what data was affected, who may be impacted, and what notifications or communications may be required.
How do we know if our vendors are a privacy risk? Start by identifying which vendors touch personal data, what type of data they handle, and whether they can affect confidentiality, integrity, or availability. Higher-risk vendors should have stronger contract terms, security assurances, and periodic review.
Need help closing these gaps (without overbuilding the programme)?
Privacy & Legal Management Consultants Ltd. (PLMC) supports Jamaican organisations with practical, defensible data protection compliance through implementation support, GRC integration, training, and risk-based assessments.
If you want an expert view on where your biggest exposure sits, book a free consultation with PLMC via privacymgmt.org and ask for a focused gap review against the 10 areas above.