top of page

Jamaica Data Protection Act v GDPR

Action / Activity

Registration with the Information Commissioner’s Office

Privacy notice

Conditions for processing

Personal Data


Data Subject Rights

Right of Access

Direct Marketing

Data Protection Officer

Data Protection Impact Assessment

Data Breach



Liability for damage

Jamaica Data Protection Act

A data controller must register and supply accompanying documentation to the ICO prior to using personal data.

A privacy notice is not specifically mandated.

Processing must comply with at least one condition.

The definition includes information about living individuals and those who have been deceased for less than 30 years.

The law stipulates eight data protection standards

Some individual rights are specifically labelled whereas others are articulated within the text of the legislation.

The data controller may charge a fee to communicate information to the individual.

The data subject must either be a customer of the data controller or must have given their consent to direct marketing.

A data protection officer must be appointed if certain criteria are met.

The data controller must submit each year to the Information Commissioner a data protection impact assessment of all personal data being held.

Personal data breaches must be reported to both the Information Commissioner and the data subject.

Several offences for breaching or failing to comply with the Data Protection Act

The Data Protection Act specifies a range of financial penalties and periods of imprisonment.

The data controller is liable for compensating the individual who suffers damage.

UK GDPR / Data Protection Act

Accompanying documentation is not required when registering with the ICO.

Data controllers must publish and make available a privacy notice to data subjects.

Processing must comply with at least one lawful basis.

The definition applies only to living individuals.

The law stipulates seven data principles.

The eight individual rights are prominently listed within the legislation.

The data controller may charge a fee only if the request is deemed to be excessive or manifestly unfounded.

The rules are broadly the same.

The rules are broadly the same. Except, there is no mandated requirement for the data protection officer to report the data controller’s non-compliance to the Information Commissioner.

Submission to the Information Commissioner is required for only data protection impact assessments where the residual risk level is categorized as high.

Data breaches posing a risk to the data subject must be reported to the Information Commissioner. Data breaches which are likely to cause a high risk must be reported to the data subject.

The offences are more limited.

There are no specified custodial sentences under the Data Protection Act all offences are punishable only by a fine of up to £17 million.

The rules are broadly the same.

© 2022 Avla Business Services Ltd. 

bottom of page