The business of data in Kenya : A gold mine and a minefield

Campaigns for Kenya’s General Elections on 9th of August 2022 are in full swing. And that means that some of us have had to deal with being inundated with politically charged messages, never mind that we already deal with unsolicited marketing messages and further, Kenyan conmen, some allegedly from Kamiti prison, trying to rob us of our monies. Just last year, most of us were left bemused at finding out that we were members of various political parties on E-citizen without our knowledge or consent. The data collection and processing sector is a goldmine and a minefield in Kenya, not least because it can, and has been used by discredited organisations such as Cambridge Analytica to guide particular political agenda on social media platforms and influence Kenyans during sensitive electioneering periods. With so many data breaches in the past, many Kenyans are desensitized to dealing with the repercussions of our data being publicly available to anyone who wishes to (mis)use it.

The Data Protection Act, 2019, assented to by the President and commenced on November 2019 was late, having been awaited for almost a decade, but most welcome. The Act finally gives effect to Article 31 of the Constitution of Kenya, 2010, which recognizes the right to privacy and underscores Kenya’s commitment to meeting international data protection standards. The Act recognizes that the risks involved in breach or misuse of personal data is expensive, and needs to be comprehensively governed, punished or mitigated. A recent VOA article provided that as at January 2019, data breaches cost companies worldwide almost $4 Million on average for every incident.

For as long as you engage in business that derives data from Kenyans – either collect or process data- then you are directly affected by the Act, and it is upon you to comply. The Act creates the Office of the Data Protection Commissioner to implement the Act. The Office among other matters, regulates:

1. the collection, processing, storage and transfer of personal data within Kenya or derived from Kenya;
2. grants Kenyans rights and power over their data;
3. prescribes data thresholds for registration with the Data Protection Commissioner;
4. provides for entities to appoint data protection officers;
5. requires entities to routinely undertake data protection impact assessments; and,
6. provides a dispute resolution process relating to data protection.

It is prudent for businesses engaged in the data collection or processing field to not just appoint data protection officers in line with the Act, but also develop data protection policies that will bind all staff, and may form part of the employment contracts thereby providing stronger commitment levels towards data protection. Businesses are also recommended to develop standard operating procedures (SOPs) with respect to data processing which SOPs would clarify how it is data collection, processing, storage and transfer will be undertaken, as well as provide practical ways to deal with data security, retention, deletion and disputes. Businesses are also recommended to carry out data protection impact assessments to know where the business stands in terms of data protection and what it needs to do to comply with the Act.

The Office of the Data Protection Commissioner has since then enacted provisions to give effect to the Act including the Data Protection (General) Regulations, the Data Protection (Compliance and Enforcement) Regulations, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations. These were gazetted on 14^th of January 2022 and became operational on 11^th of February 2022 subject to annulment or approval by Parliament. The key provisions of these regulations relate to the processing of personal data having acquired consent and perhaps most importantly, the registration of data processors and controllers (who fall within the prescribed thresholds). While exemptions to registration do exist, certain data centric sectors are inherently not exempted, no matter their turnover. A grace period of 6 months is provided to comply with the Act and its regulations.   

Penalties for enforcement are high, and it is advised that businesses working with Kenyans’ data make use of these 6 months to learn and comply.

If you wish to learn more about your required compliance with the Kenyan Data Protection Act, and its regulations, please reach out to me at halima@hawahussein.com

Photo credit: https://www.raconteur.net/data-privacy-red-flags/

#Dataprotection #Dataprotectionact #dataprotectionofficer #dataprivacy #startuplaw #startups #businessinAfrica #leadership #culture #kenya

Campaigns for Kenya’s General Elections on 9th of August 2022 are in full swing. And that means that some of us have had to deal with being inundated with politically charged messages, never mind that we already deal with unsolicited marketing messages and further, Kenyan conmen, some allegedly from Kamiti prison, trying to rob us…