Half a decade after the introduction of data protection laws in Kenya, State-owned entities have demonstrated a tepid approach towards compliance with the legal framework, even as the government continues to pressure the private sector to conform.
A report unveiled by the Kenya ICT Action Network (KICTANet), a multi-stakeholder think tank for ICT policy and regulation in the country, reveals that only 85 out of the more than 240 state corporations have registered.
The report also criticizes the Office of the Data Protection Commissioner (ODPC) for delaying the implementation of section 55 of the Data Protection Act (DPA) 2019, which requires the development of a data-sharing code specifying the lawful exchange of data between government departments and public sector agencies.
Additionally, the absence of approved guidance notes for county governments perpetuates the lack of regulation among state entities at the county level.
“The trend underscores the government’s lackadaisical approach towards compliance with the data protection legal framework,” states KICTANet.
“This serves as evidence that despite the efforts of the ODPC, there are still implementation and compliance challenges facing State-led data processing operations.”
Notorious violators
Among private sector players, the financial services sector is singled out as the most notorious for DPA violations, with digital credit providers being the largest category of entities complained against by data subjects.
“Local and foreign digital credit providers have earned the reputation of being repeat violators of the provisions of the DPA,” reports KICTANet.
In response to the 1,030 complaints received by September 2022, the ODPC instituted an audit of digital lenders in line with section 23 of the DPA.
“However, the findings of the audit process are yet to be released for public consumption,” notes the report.
Other sectors with a notable number of violations include education (both private and public institutions), entertainment, and healthcare services, while segments with the highest compliance rates include agribusiness, advertising and marketing, cleaning services, hair and beauty services, and IT solutions.
In assessing the five years of DPA implementation, the report notes that the rules have had a demonstrable impact on the data protection practices of non-state data handlers.
Employment creation
This impact has led to new employment opportunities in the emerging industry, including researchers, auditors, lawyers, public policy personnel, innovators, and ICT practitioners offering various services in the field of privacy and data protection.
The implementation of the law has also significantly increased awareness levels of privacy rights and data protection among individuals and organisations in Kenya.
“The heightened awareness is crucial for fostering a culture of data protection and ensuring that stakeholders understand their rights and obligations under the law,” notes the report.
Compliance cost
However, small organisations have deemed the compliance costs too high, terming them an additional burden.
As of the close of last month, the ODPC had issued 5,195 registration certificates to entities, the result of a two-year drive. These numbers contrast significantly with the 105,531 business entities enlisted by the registrar of companies within the same period.
“At least 90 percent of potentially registrable business or corporate entities remain unregistered, demonstrating the need for continued efforts to promote awareness and compliance among data handlers,” says KICTANet.
In January last year, Data Protection Commissioner Immaculate Kassait unveiled the data protection registration system, allowing applicants to take charge of the registration as part of measures geared towards expediting compliance.
According to the rules, firms found in breach are liable to fines of not more than Sh5 million or up to one percent of their annual turnover.