LETTERS: How firms can forestall personal data breaches

Companies handling personal data can avoid hefty fines associated with personal data breaches by undertaking privacy impact assessments of their systems. FILE PHOTO | NMG

For a long time, the right to privacy had been relegated to the periphery by being subsumed with other human rights.

However, in the recent past, the advent of digital technologies has thrust the aspect of privacy into prominence. In particular, many public and private companies have adopted new technologies and systems aimed at cutting costs and enhancing the efficiency of their operations.

Notably, these systems are configured to harvest huge amounts of personal data from their users thus putting customer’s privacy into focus.

While collecting customers personal data is useful in enabling companies to authenticate their identity, it also poses a risk. In the absence of a robust data protection regime, this data can be misused, by for instance, being sold to other companies for profit thus compromising customer’s privacy.

Indeed, in the recent past, many companies across the globe have been slapped with hefty fines for personal data breaches. For example, just recently, tech giant, Facebook, was fined five billion dollars by the United States’, Federal Trade Commission, for violating user’s privacy.

Specifically, Facebook was accused of allowing a British consulting firm, Cambridge Analytica, to access personal data belonging to more than 87 million Facebook users without their consent thereby compromising their privacy.

Similarly, in the United Kingdom, British Airways was recently slapped with a record fine of 183 million pounds by the Information Commissioner’s Office (ICO) for personal data breach.

Specifically, the airline’s website was hacked and customer’s personal data such as names, email address, credit card numbers stolen. But the problem of personal data breach is not unique to companies in developed nations.

One of the ways of forestalling personal data breaches within a company’s system is identifying beforehand data processing operations within system that are likely to undermine privacy of personal data.

This is achieved by conducting a data protection or privacy impact assessment of a company’s system.

In essence, companies should engage privacy experts to assess the data processing operations within their systems that are likely to compromise the privacy of individuals. This assessment will reveal the flow of personal data within the system and potential exposure to breaches.

The data privacy impact assessment report will then inform data protection measures such as data encryption as well as privacy design features that can be added to the system to mitigate potential privacy risks. Indeed, this practice is provided for in progressive data protection regimes such as European Union’s General Data Protection Regulations (GDPR).

Specifically, Article 35 of the GDPR requires companies to undertake data protection impact assessments of their systems to identify data processing operations that are a risk to the privacy of individuals.

In Kenya, although Parliament is yet to pass the Data Protection Act into law, companies handling personal data can avoid hefty fines associated with personal data breaches by undertaking privacy impact assessments of their systems.

This assessment will form the basis for integrating data protection and privacy considerations into the company’s operations thus forestalling personal data breaches.

Victor Kabata researcher and data privacy consultant in Kenya.

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.

Get it First!

Stay up to date on the editors' picks of the week.

Latest

  1. PRIME Maria Nkumba: The village girl running big city events

  2. PRIME Rita Kavashe: Isuzu East Africa MD on the growth of the vehicle leasing market

  3. StanChart dividend yield up to 17pc as bank stocks drop

In the headlines

View All