logo
ADVERTISEMENT

KAMANDE: Data privacy: How this right is protected in Kenya

It will be mandatory for organisations to update their technology systems to track possible breaches.

image
by KENNEDY KAMANDE

Realtime18 October 2023 - 17:01
ADVERTISEMENT

In Summary


  • Businesses must first conduct an in-depth assessment of their current data management and protection policies.
  • This expounds on the data the organisation holds and collects, what format it’s held in, where it’s held, and the level of detail.
A user registers for Worldcoin at KICC on Tuesday, August 1, 2023.

According to a recent survey, 36 per cent of Kenyan businesses are not aware of Kenya's data protection regulations- and many are unclear about how to comply.

Data privacy and protection is crucial to all types of businesses due to the increasingly expensive ransomware payouts, cryptomining attacks, and massive data leaks of sensitive information to hackers. Globally, the data protection laws exist in more than 120 countries, including 25 African states.

In November 2019, Kenya enacted its Data Protection Act, with the three specified data protection regulations coming into effect in February last year to govern what businesses inside and outside the country can do with information collected about Kenyan citizens in any digital format. A major stride forward for people’s online privacy in the country.

The Act imposes obligations on data controllers and data processors to provide security measures and mechanisms to ensure the protection of personal data against unlawful destruction, loss, alteration and transfer.

In September 2023, the Office of the Data Protection Commissioner (ODPC) imposed fines totalling Sh9.4 million on three data controllers for failing to comply with the provisions of the Act on processing of personal data of data subjects.

Mulla Pride Ltd., a digital credit provider, which operates KeCredit and FairKash mobile lending apps was penalised Sh2.98 million for sharing complainants contact information and names with third parties where threatening messages and phone calls were sent later.

Casa Vera Lounge in Nairobi was slapped with a Sh1.9 million fine for posting a reveller’s image on its social media platform without consent. Similarly, Roma School will have to pay the regulator Sh4.6 million for posting minors’ pictures without parental consent.

Complying with the new data protection regulations that are progressive will be growing pains – especially if your data is currently held in several different servers, managed by different employees, and processed for different reasons.

Non-compliance with the rules in the Act, including the so-called ‘right to be forgotten’, carries a general penalty of a fine not exceeding Sh3 million , one per cent of a business’s annual turnover or an imprisonment term not exceeding ten years, or both (whichever is lower).

It is now illegal to collect, process, analyse or disclose a data subject’s (an individual person) information without their consent. Approval and authorisation are the new most frequent basis upon which data controllers or data processors process personal data.

It is illegal to sell any personal data to a third party without express consent and prior authorisation is a criminal sanction liable to a fine not exceeding Sh5 million or imprisonment for a term not exceeding two years, or to both.

If a business that collects information about Kenyan citizens in any digital formats fails to register with the ODPC as a data processor or controller, or provides false information during the application process for registration, they are liable for administrative fines too.

Given the high magnitude of the penalties imposed for non-compliance (not to mention the reputational and credibility damage) it is vital to ensure you become compliant as soon as possible.

To begin the journey to compliance with Kenya's data protection regulations, businesses must first conduct an in-depth assessment of their current data management and protection policies. This expounds on the data the organisation holds and collects, what format it’s held in, where it’s held, and the level of detail.

The business will evaluate and decide whether it's compliant with the regulations or leverages the intelligent recommendations to change processes where necessary to comply with the law.

Register with the Office of the Data Protection Commissioner: If you hold and process people’s private data, you must register with the Data Protection Commission (even if you’re based outside of Kenya). Moving forward, if your data gets breached, you must notify the Data Protection Commissioner within 72 hours.

Unless you have express permission from the data subject, most data you collect will need to be stored within Kenya’s territorial boundaries (in either a server or a cloud data centre).

Given the evolving digital threats landscape and local data privacy regulations, many Kenyan businesses will be under an obligation to appoint a data protection officer whose job will be to monitor internal data processing activities and ensure compliance.

It will be mandatory for organisations to update their technology systems and implement new technologies to ensure security by design, to track possible breaches, and to encrypt data at rest and in transit.

 

The writer is a data scientist pursuing a MSc in Artificial Intelligence at the University of Edinburgh in Scotland

ADVERTISEMENT

logo© The Star 2024. All rights reserved