The EU law on privacy and what it means for Kenya


Local companies and subsidiaries must comply. FILE PHOTO | NMG

With the ushering of the European Union’s General Data Protection Regulations (GDPR), on May 25, 2018, several companies within the bloc have been compelled to adjust to ensure that any data they handle is well secured.

Locally, the big question that lingers in the minds of service providers is whether the GDPR has found its tentacles in the country and if so, how best can they find the delicate balance between protectingthe rights of their customers vis-a-visensuring that their daily operations are not crippled.

Article 3 of the GDPR has widened the territorial scope of the regulation. It states that, the regulation applies to the processing of personal data of data subjects(individuals) who are in the EU by a controller (any company) not established in the Union.

This is specific to processing activities which are related to the offering of goods and services, irrespective of whether payment by the data subject is required. Additionally, it applies to the monitoring of behaviour of data subjects as far as this is within the EU.

The scope gets wider as the Article further provides that, the Regulation applies to the processing of personal data by a controller not established in the Union but in a place where the National Law of a Member state applies by virtue of Public International Laws such as an Embassy.Additionally, Article 25 imposes a duty on any organisation outside the EU which falls under the GDPR regime because of its activities, to appoint a representative in that member state. The representative will be a point of contact for the entity’s Data Protection Officer. However, this does not apply to entities whose data processing activities are occasional and do not include large scale processing of sensitive data.

What does this mean for Kenya? In a nutshell, an organisation does not need physical presence in the EU to be GDPR compliant. As long as a locally incorporated company or a subsidiary collects and stores information of a citizen of any EU member state in whatever form, then compliance is no longer optional.

If a company has employees or customers based in Europe then it must be GDPR compliant.The rules require any company that collects and stores data on any EU citizen to justify why they are storing this information as well as to explain what they’ll use the data for. Companies are also required to document the user giving them consent to store their data.

Additionally, companies are required toprovide all stored information on a user, should the user ask for it and delete the same information (including backups) should a user want to be “forgotten”.

Local businesses must tread cautiously; the focus ondata protection within GDPR is not only on customers’ information and external databut also within the organisation itself. If an entity has employed a European then, in the ordinary course of employment, the Human Resources Department is required to collect personal Identifiable Information from this individual. This directly translates to the collection of data ultimatelynecessitatingthe organization to comply with GDPR.

Undoubtedly, several local companies have been affected by the GDPR.The consequences of non-compliance with the GDPR are colossal. The first level of fine is up to 10 million Euros or two per cent of the company’s global annual turnover of the company’s preceding fiscal year. This fine is specific to infringements listed under Article 83(4) of the GDPR. These include infringements relating to, amongst others, security of processing data, communication ofpersonal data breach to the data subject as well as breaches relating to records of processing data.

The higher level of fine of up to 20 million euros or four per cent of a company’s annual global revenue of the preceding fiscal year are infringements specific to Article 83(5) which relate to the rights of the data subject and transfer of personal data to an international organisation.

What next for companies in Kenya? Local companies and subsidiaries must comply. They need to confirm whether a company has in its possession Personal Identifiable Data of an EU-citizen. Once this is confirmed, then the organisation must comply with the GDPR.

Njoki Kamau and Munga Ndichu, Partners, Grewin Adocates & Consultants LLP.