Protect personal data, conduct regular training – NDMA Head in Data Protection Day Message

Emphasising that “data protection is everyone’s responsibility”, Cybersecurity Director at the National Data Management Authority (NDMA), Muriana McPherson, has sounded a call for organisations to put systems in place to ensure the personal data are protected including regular training for employees.
She made these remarks in her message in recognition of Data Protection Day 2024, or Privacy Day as it is otherwise called, which is observed on January 28 annually.
According to McPherson, the NDMA is commemorating this day by raising awareness on the importance of data protection. She noted that modern organisations – whether large enterprises, small businesses, or medium-sized companies – usually collect, store, process, use, and share data which includes their employees’ and customers’ personal identifiable information.
However, the Cybersecurity Director pointed out that these personal data can traverse the boundaries of an organisation’s network, and it can reside on a plethora of devices ranging from an individual’s mobile phone to an organisation’s on-premises server, to a cloud server in another country.

To this end, McPherson noted that while organisations must make personal data accessible to employees and other stakeholders, it is even more imperative that they ensure that the privacy of the individual data subject is maintained.
“It is imperative, therefore, that both organisations and individuals alike, understand the risk associated with the use of personal data, and ensure that prudent measures are implemented for its protection. Managing and securing personal data is one of the most complex and challenging tasks for any organisation or individual when contemplating the risk of personal data breach,” she urged.
The NDMA Head explained that data protection is important to both reduce risk and enable a proactive response to associated threats. This, she added, is especially crucial given the current age of targeted cyber-attacks aimed at stealing personal identifiable information including financial and health data.
“This is an era where mobility and convenience of accessing data from anywhere using any device is the new norm. A period in which the prevalence of both trusted employees and others’ actions – unintentional or intentional – has resulted in personal data breach,” McPherson stated.
On this note, the Cybersecurity Director offered some steps that organisations and individuals can implement to protect personal data. These include: managing data access by establishing and enforcing policies surrounding levels of access granted to data users, with regular oversight; promptly applying vendor-released patches and software updates to systems given that attackers commonly take advantage of unpatched computer systems and software to gain access to personal data; implement malware detection software, which is crucial in safeguarding against common Internet-based threats, such as web-based malware designed to steal data; ensure that personal identifiable data is encrypted both at rest, and in transit to prevent unauthorised disclosure; enable multifactor authentication (MFA) as an absolute requirement for all applications and services that are used to access personal data; and implement network security controls such as firewall and intrusion prevention systems to regulate data flows, and to identify and stop known threat attempts.
However, even with the installation of this measure, the NDMA Head said no data protection strategy is complete without ample security awareness training for all who access and interact with organisations’ sensitive data.
“It should come as no surprise that intentional and unintentional mistakes of employees, contractors and partners represent the biggest threat to data security and the most significant challenge in personal data breach prevention. Hence, proper training that covers data usage guidelines, password policies and common threats, such as social engineering and phishing scams, should be conducted regularly,” McPherson posited.
In August 2023, Guyana passed its first Data Protection Act to regulate the handling of personal data to protect the privacy of individuals concerning their data.
The Cybersecurity Director implored organisations to get familiarised with the Data Protection Act of 2023. She also asked that they keep an inventory of the type of personal data they use, know where it resides, and how it is accessed and managed. Then, McPherson added, organisations should apply appropriate protection mechanisms to safeguard personal data and maintain privacy.
The Data Protection Bill was created to regulate the collection, keeping, processing, use and dissemination of personal data. It sets a statutory framework, moving away from the current construct of the country’s legislation, which does not safeguard against rights to data protection.
Personal data has been defined as any information relating to an identified or identifiable person, about private and public life as well as professional activities.
The Bill prescribes that a body be established, recognised as the Data Protection Office, which shall be responsible for the administration and implementation of the Act. The President will also be empowered to appoint a Data Protection Commissioner.
The new law also contains sanctions for data protection breaches. A person who fails to comply with the enforcement notice, an information notice, or a special information notice commits to an office and can be fined $1 million or imprisoned for three months.
Any person who intentionally obstructs the execution of a warrant, fails to provide the Police with required assistance, or makes false statements under certain subsections can be fined $1 million- or six months’ imprisonment.
There are penalties for data controllers, which are persons who determine the manner and purpose of which personal data is processed. It is a criminal offence for such officers to operate without being registered or without nominating a representative, carrying a fine of $10 million- or two months’ imprisonment.