PROTECTION

Companies asked to comply with data registration by July 14

In March, the Parliament approved a set of data regulations, paving way for the safeguarding of personal data in the country.

In Summary
  • Failure to register will cost firms Sh5 million or up to one per cent of their annual turnover of the preceding financial year whichever is lower.
  • The complaints handling regulations came into effect on March 14. 
Data Commissioner Immaculate Kassait during the status update report on 100 days in office in Nairobi on Wednesday February 24.
SAFEGUARDING PERSONAL INFORMATION: Data Commissioner Immaculate Kassait during the status update report on 100 days in office in Nairobi on Wednesday February 24.
Image: ICT MINISTRY

Companies with an annual turnover of above Sh5 million and have at least 10 employees are expected to comply with data registration requirements by July 14 or face penalties. 

Professional services consulting firm, Pricewaterhouse Coopers (PwC) has warned that failure to register will cost firms Sh5 million or up to one per cent of its annual turnover of the preceding financial year, whichever is lower.

''The processing of personal data is core to a wide range of business sectors. Companies should hurry to comply with registration requirements before they take effect in mid-July,'' PwC says in a regulatory alert.

In order to register, data controllers and processors are required to provide to the Office of the Data Protection Commissioner (ODPC) a range of information including a description of the personal data to be processed

A description of the purpose for which the personal data is processed must be indicated, the category of data subjects to which the personal data relates and the contact details of the data controller.

Any measures to protect the data subjects from unlawful use of their personal data by the data controller must also be listed in the online registration portal. 

The regulation on registration will follow the data protection (General) regulations, 2021 and the complaints handling regulations which took effect on March 14. 

It largely provides for rights of a data subject and limitations to commercial use of such information.

In the event of commercialisation of data, a data controller who uses personal data for commercial purposes without the consent of the data subject commits an offense.

He or she is liable, on conviction, to a fine not exceeding Sh20,000 or to a term of imprisonment not exceeding six months, or to both fine and imprisonment according to the data protection act.

In March, the Parliament approved a set of data regulations, paving way for the safeguarding of personal data in the country.

They include the data protection (General) regulations 2021 and the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021.

Others are the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.