Saccos, non-governmental organisations (NGOs), research firms and small and medium enterprises (SMEs) are lagging in compliance with data privacy laws, leaving a gap for theft of customer and employee personal information and transfer to third parties.
The 2022 Data Protection and Privacy Survey report by consultancy firm Ernst and Young shows that these entities have been slow to install technology that prevents data theft or destruction, train employees in compliance with the new data protection laws and appoint data protection officers.
They have also been slow in seeking registration as data processors or controllers with the Office of Data Protection Commissioner (ODPC).
On the other hand, the report found banks, insurers, telcos and healthcare firms leading in compliance with data privacy laws and registration, which as seen them reduce intentional breaches of personal information.
The survey follows a similar report released last year showing more than a fifth of Kenyan companies shared customer financial and personal information without consent.
“Certain industries are aware (of their obligations), and we want those lagging, like saccos, NGOs and others to catch up with the banks so that we do not have either intended or unintended selling of data or transfer of data,” said Ernst & Young digital, analytics and cybersecurity solutions partner, Robert Nyamu.
The compliance by large corporates such as banks has also been driven by their considerable financial muscle, while some have a presence outside the country with the Act requiring them to meet certain demands, especially if they need to transfer personal data to another country.
The regulator is also set to make data privacy compliance and registration a necessity for business operation and licencing.