Running a Compliant Business

How to Secure Personal Data

Practical, low-cost security steps any Jamaican business can take to meet the Act's security standard.

Beginner 13 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What the security standard requires
  • Practical, low-cost steps to protect data
  • How to reduce the damage if something goes wrong
  • Where most small businesses are exposed

Overview

The Act's seventh standard requires you to keep personal data secure against loss, damage, and unauthorised access. The good news is that most effective security comes from straightforward habits, not costly technology. This module gives you a practical starting point.

Why this matters

Security is where data protection most often fails, and where the harm is greatest. A lost laptop, a shared password, or a misconfigured cloud folder can expose hundreds of people. Strong basics protect your customers and your business.

What the law says

The seventh standard (in the security provisions of the Act, sections 22 to 31) requires appropriate technical and organisational measures to protect personal data. "Appropriate" scales with the sensitivity of the data and the harm a breach could cause, so a clinic should do more than a corner shop.

Practical steps

Control who can access data

  • Give each person access only to what their role needs.
  • Remove access promptly when someone leaves.
  • Use individual logins, never shared accounts.

Protect devices and accounts

  • Use strong, unique passwords and a password manager.
  • Turn on two-factor authentication wherever it is offered.
  • Encrypt laptops and phones, and lock screens when away.

Protect data in transit and at rest

  • Avoid sending personal data in plain emails or messaging apps.
  • Use reputable, secured cloud services and check their settings.

Back up safely

  • Keep regular backups, and make sure they are protected too.
  • Test that you can actually restore from them.
Tip. If you only do three things this month: turn on two-factor authentication, tighten who can access what, and confirm your backups work.

Reduce the damage if something goes wrong

Good security also means limiting harm when an incident happens. Encryption, least-privilege access, and reliable backups all shrink the impact of a breach. Pair them with the plan in What to Do If You Have a Data Breach.

Watch out. The weakest link is usually people, not technology. Untrained staff and reused passwords cause more incidents than sophisticated attacks.

Common mistakes

  • Sharing one login across the team.
  • Storing sensitive data on unprotected personal devices.
  • Never testing backups until you need them.

Best practices

  • Write a short, simple security policy and train staff on it.
  • Review access rights regularly.
  • Keep software and devices updated.

Put this into practice

See where your current safeguards stand and what to improve first.

Check your compliance

Frequently asked questions

No. Most of the biggest gains come from access control, strong passwords, device protection, and backups.

Key takeaways

  • The seventh standard requires appropriate security for personal data.
  • Most strong protection comes from simple habits, not expensive tools.
  • Limit who can access data, protect devices, and back up safely.
  • Good security also limits the damage when something does go wrong.

Related

Ask the Privacy Assistant

Beta