Data Protection Officers Can Serve More Than One Entity
By: , January 23, 2024
Photo: Contributed
Information Commissioner, Celia Barclay.The Full Story
As entities advertise vacancies for Data Protection Officers (DPOs), Information Commissioner, Celia Barclay, has advised that an individual can serve as a DPO for more than one entity.
Under the Data Protection Act, 2020, Data Controllers that are public authorities, large-scale data processors and processors of sensitive personal data are required to appoint a DPO.
“We have contemplated that based on the large volume of Data Controllers, it would be reasonable and practical to expect that data protection service providers will have a range of clients or multiple clients,” Ms. Barclay told JIS News.
She urged entities to be mindful of the cost of doing business and its implications for continuity and sustainability, noting that “persons need to realise that like with anything else, how you go about getting a service is a business decision for you to make”.
Ms. Barclay said an entity may be relatively small but required to appoint a DPO on the basis that it processes sensitive personal data.
She likened the appointment of a DPO to that of legal services, pointing out that every business can have legal issues and require the services of a lawyer, but not every business permanently engages a lawyer on retainer.
Therefore, she said the arrangement made by Data Controllers with DPOs will depend on what an entity is able to afford and facilitate.
“There is no requirement in the Act for the Data Protection Officer to be an employee of the organisation. He or she doesn’t have to be a member of your staff. This is a service that you can engage, contract and outsource,” Ms. Barclay pointed out.
She said there are, in fact, data protection and privacy service providers who can be contracted on different bases – a consultant to provide one-time advice, on retainer to do periodic checks, analyses and make recommendations, or service providers who assist with setting up an entity’s framework for data protection and then are on call in the event of a breach.
“The arrangements will vary and what you put in place and the flexibility of that arrangement is really going to depend on the needs of the organisation and who they choose to engage. In a similar way, the cost to the organisation will very much depend on the type of service and the terms and conditions of that service provider,” she said.
The Office of the Information Commissioner (OIC) serves as the cornerstone of data protection in Jamaica, safeguarding the rights of individuals to the privacy of their personal data.