Industry Guides

Data Protection for IT and Web Companies

Guidance for Jamaican IT firms, web developers, and agencies that are often data processors for their clients.

Intermediate 15 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • When you are a processor and when you are a controller
  • Your duties when handling client data
  • Building data protection into the systems you deliver
  • Practical steps for agencies and developers

Overview

IT companies, web developers, and digital agencies handle personal data constantly, but mostly on behalf of their clients. That makes the controller and processor distinction central to how the Act applies to you. This guide explains your position and your duties.

Why this matters

Your clients rely on you to handle their customers' data responsibly, and increasingly they will ask you to prove it. Being clear and professional about data protection is becoming a competitive advantage, and getting it wrong can expose both you and your clients.

Controller or processor?

In most engagements you are a processor: you handle the client's data according to the client's instructions, and the client decides the purposes. For your own staff and customers, you are a controller (see Who is a Data Controller?).

Tip. A quick test: if it is your client's customers' data and you are only touching it to deliver your service, you are the processor for that data.

Your duties as a processor

As a processor you generally must:

  • act only on the client's documented instructions
  • keep the data secure
  • use sub-processors only with the client's awareness and proper terms
  • help the client meet their obligations, such as responding to access requests and breaches
  • work under a written contract that sets out these duties
Watch out. A breach in a system you built or host can become your client's breach, and your reputation. Build in security from the start, not as an afterthought.

Build data protection into what you deliver

When you build websites and systems, you shape how your clients collect and protect data. Help them by:

  • collecting only necessary data and using sensible defaults
  • adding clear consent and cookie handling where needed
  • building in security: encryption, access control, and backups
  • making it possible to find, export, and delete a person's data

Sub-processors

The cloud platforms, hosting, and tools you build on are your sub-processors. Choose reputable providers, keep them under proper terms, and disclose them to your clients.

Common mistakes

  • Having no written data processing terms with clients.
  • Leaving security and consent as "the client's problem".
  • Using personal accounts or unmanaged tools to handle client data.

Best practices

  • Keep a register of the client data you process and the sub-processors you use.
  • Sign a data processing contract with every client.
  • Make security and privacy part of your standard delivery.

Put this into practice

Keep a clear register of the data you process for clients and the providers you use.

Map your processors and clients

Frequently asked questions

Usually both. You are a processor for the client data you handle on their instructions, and a controller for your own staff and customer data.

Key takeaways

  • IT and web firms are usually processors for client data and controllers for their own.
  • As a processor you act on the client's instructions and need a written contract.
  • You should build security and data protection into what you deliver.
  • You also use sub-processors, which must be managed and disclosed.

Related

Ask the Privacy Assistant

Beta