In the wake of Facebook and Cambridge Analytica data security breaches, the EU has brought into force one of the most sweeping extra-territorial legislation on privacy.
The EU’s General Data Protection Regulations (GDPR) are expected to come into force this Friday.
The main objective of GDPR is to protect the ‘data subject’ in the EU, that is, a person living in the EU, from data privacy breaches.
A key provision of the regulations is that companies will have to offer explicit opt-in consent notice presented in clear, easy-to-understand language, before collecting and handling EU users’ data.
Unfortunately, as has happened before, this cannot be tucked away with other terms and conditions. If a user declines, a company cannot collect data and assume consent, a practice that has been commonplace until now.
Companies that are leveraging on use of big data to automate decision making will have to rethink how this legislation will impact them and come up with controls geared toward data management.
What makes this law one of toughest privacy regulations is its expansive territorial reach.
GDPR applies to all companies processing the personal data of subjects residing in the EU, regardless of the company’s location and size.
Penalties for non-compliance show the seriousness with which the EU law makers want compliance.
Businesses contravening this law may end up being fined up to four per cent of their annual global turnover or €20 million (Sh2.4 billion), whichever is greater. There may be potential for class action law suits emanating from the breach.
Impact on Kenyan companies
It is important to remember that GDPR not only applies to EU based organisations but also to those located outside the EU if they collect or process personal data of EU residents.
This requires that Kenyan business assess whether they currently are – or are planning to – conduct business (in the EU or with EU residents).
Once this question is answered, the next step is to review the intended business model to find out any involvement with EU citizen data and if so, what that data it is. This should help determine whether the business needs to comply with GDPR or not.
A key factor for Kenyan firms to consider when assessing the impact of GDPR is whether the organisation ‘monitors the behaviour’ of EU citizens using cookies or IP addresses.
This includes instances where an individual is tracked on the Internet and potential use of profiling techniques to analyse their behavior, attitudes and predicting their personal choices.
This is a wake-up call for companies that are leveraging on use of big data and artificial intelligence to drive their business. It means that a good number of local companies including Internet service providers, airlines, media firms, banks, insurance companies, and mobile phone providers are going to be impacted.
The primary thing is that GDPR gives data subjects control of their data. Most importantly, these regulations demand sweeping changes in how organisations request consents from clients to use their information.
Some companies have been accused of using long illegible terms and conditions full of legal jargons to request such consent.
GDPR demands that such consents must be clear and distinguishable from other matters and be provided in a clear and easily accessible form, using clear and plain language. It must be easy to withdraw consent as it is to give.
Key among these provisions is the requirement of the impacted companies to keep data inventory of the of EU residents.
The data subject will have a right to receive upon request, their personal data that they previously provided to the companies in a machine-readable format. Persons whose information is being held by affected organisations have also been provided with captivating rights.
Right to be forgotten
Individuals will now have the right to ask the data controllers (i.e companies holding their information) to erase any personal information in their custody and cease any further processing and dissemination.
Key among those rights is also the requirement to notify regulators and individuals, whose data may have been impacted by data breach within 72 hours of becoming aware of such data breach.
EU persons also have the right to obtain from the data controller a confirmation as to whether their personal data is being processed, where and for what purpose. This means an EU customer can require a Kenyan bank to confirm what it has been doing with his or her data.
Enforceable outside the EU
So, how will the extended territorial reach of GDPR be enforced outside the EU? There is no clear guidance on this, but it is possible that the UK Data Protection Authority (DPA) could seek a court injunction to block a service if personal data is being unlawfully processed.
It is difficult to assess how practical this would be in Kenya without analysing the international law on enforceability of such rules.
In my view, one possible way of enforcing GDPR is by applying the objective territoriality principle that would allow European regulators jurisdiction over foreign websites or online service providers based solely on their use of equipment or the location of servers within the EU.
Nonetheless, Kenyan organisations need to be aware that GDPR exists and will have an impact on the way they do business with EU residents.
Preparedness for the new law
So far, entities located in jurisdictions with tight privacy legislations are finding it easier to comply with GDPR. This is because their domestic privacy legislation provisions have covered most of the GDPR requirement.
Unfortunately, in Kenya, we have not passed any data privacy law. This means that Kenyan companies will have to start from the scratch as they figure out how to comply.
It is, however, important to stay aware of the fact that GDPR will affect Kenyan organisations more than many people may be aware. No company is exempt from this due to its size or any other considerations.
The first step companies should take is to assess the likelihood of the GDPR applying to their business. Identification of sources of data will be an important step. For instance, identify who is visiting the company’s website.
To better protect themselves from possible legal dangers, companies that have internal data privacy policies and procedures should conduct a gap analysis and deal with the identified gaps to ensure GDPR compliance.
GDPR has established role of Data Protection Officer (DPO) for all companies that collect or process EU citizens’ personal data. The role of the DPO will be to oversee effective GDPR compliance implementation framework.
The DPO’s responsibilities include educating employees on the importance compliance requirement for GDPR. The DPO also serves as a point of contact between the organisation and its supervisory authority.
Whether local companies will be required to hire a DPO depends on their interpretation of Article 37(1) of the GDPR. Ultimately, the fact that companies try to gain competitive advantage through big data, will require them to assess the risks related to processing and controlling the data.
Kiragu is a financial services regulatory compliance professional based in Canada and adjunct instructor at Strathmore Business School.