Industry Guides
Data Protection for IT and Web Companies
Guidance for Jamaican IT firms, web developers, and agencies that are often data processors for their clients.
What you will learn
- When you are a processor and when you are a controller
- Your duties when handling client data
- Building data protection into the systems you deliver
- Practical steps for agencies and developers
Overview
IT companies, web developers, and digital agencies handle personal data constantly, but mostly on behalf of their clients. That makes the controller and processor distinction central to how the Act applies to you. This guide explains your position and your duties.
Why this matters
Your clients rely on you to handle their customers' data responsibly, and increasingly they will ask you to prove it. Being clear and professional about data protection is becoming a competitive advantage, and getting it wrong can expose both you and your clients.
Controller or processor?
In most engagements you are a processor: you handle the client's data according to the client's instructions, and the client decides the purposes. For your own staff and customers, you are a controller (see Who is a Data Controller?).
Your duties as a processor
As a processor you generally must:
- act only on the client's documented instructions
- keep the data secure
- use sub-processors only with the client's awareness and proper terms
- help the client meet their obligations, such as responding to access requests and breaches
- work under a written contract that sets out these duties
Build data protection into what you deliver
When you build websites and systems, you shape how your clients collect and protect data. Help them by:
- collecting only necessary data and using sensible defaults
- adding clear consent and cookie handling where needed
- building in security: encryption, access control, and backups
- making it possible to find, export, and delete a person's data
Sub-processors
The cloud platforms, hosting, and tools you build on are your sub-processors. Choose reputable providers, keep them under proper terms, and disclose them to your clients.
Common mistakes
- Having no written data processing terms with clients.
- Leaving security and consent as "the client's problem".
- Using personal accounts or unmanaged tools to handle client data.
Best practices
- Keep a register of the client data you process and the sub-processors you use.
- Sign a data processing contract with every client.
- Make security and privacy part of your standard delivery.
Put this into practice
Keep a clear register of the data you process for clients and the providers you use.
Map your processors and clientsFrequently asked questions
Key takeaways
- IT and web firms are usually processors for client data and controllers for their own.
- As a processor you act on the client's instructions and need a written contract.
- You should build security and data protection into what you deliver.
- You also use sub-processors, which must be managed and disclosed.
