Big firms face fines, jail time in three weeks for data rule breach


Data Protection Commissioner Immaculate Kassait. FILE PHOTO | NMG

Companies are racing to review their data privacy policies to avoid paying a fine of Sh5 million or up to one percent of their annual turnover for the firms once the deadline lapses in three weeks’ time.

Data Commissioner Immaculate Kassait says there is an increased appetite for data protection by companies in Kenya in line with regulatory compliance under the Data Protection Act whose commencement date is July 14.

"Data protection is the new oil for businesses locally and globally and most have realized this as the possibility of a breach could affect them with either bad reputation or low revenues so many are ensuring that they are compliant,” she said. "July 14th is the commencement date for the new rules."

Employees of Kenyan companies and government agencies who leak private customer data to third parties will face stiff fines and jail terms under the new tough laws that seek to shape how institutions collect, use and store personal information.

The scramble to comply by Kenyan firms will create new job opportunities for Kenyans, said UK-based data protection consultant Akin Oyegoke the managing consultant of Johan ICT, a data protection-focused firm.

Sharing or offering for sale personal information could land those responsible for their safe storage jail terms of up to six months or fines of up to Sh5 million.

A data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence.

He or she is liable, on conviction, to a fine not exceeding Sh20,000 or to a term of imprisonment not exceeding six months, or to both fine and imprisonment according to the data protection act.

“In relation to an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to five million shillings, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower,” the data Act reads in part.

Commercial banks, technology companies like Safaricom, Airtel and Telkom Kenya, media groups, retailers, hospitals and hotels are among those targeted due to the vast amounts of customer information they hold.

Safaricom for instance plans to block customer contact details when making payments through Lipa na M-Pesa to curb personal information being traded to advertisers or leaking to fraudsters.

The telco earlier this month cited technical hitches in the delay for the rollout of the plan which would have seen it start blocking customer contact details when they make payments through Lipa na M-Pesa from end of June.

Under the new regime, Safaricom will only display the first name of subscribers making payments through the platform and a few digits of their phone number, effectively hiding the contact of the customer.

Privacy experts around the world have in the recent past expressed concerns about how personal data is collected and used by companies.

Questions have been raised on what happens, for instance, when a company that has access to consumers’ financial records from their shopping habits sells such data to third parties or uses it to tailor-make their marketing activities.

Health insurance and providers of health care also face stringent fines in case they breach the privacy of patients by sharing such data with third parties.

[email protected]