Companies are racing to review their data privacy policies to avoid paying a fine of Sh5 million or up to one percent of their annual turnover for firms once the deadline lapses in one weeks’ time.
The commencement date for the new rules under the Data Protection Act is July 14.
Under the law, sharing or offering for sale personal information could land those responsible for their safe storage in jail for up to six months or fines of up to Sh5 million.
A data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence. They are liable, on conviction, to a maximum fine of Sh20,000 or to a term of imprisonment of up to six months, or to both fine and imprisonment according to the data protection Act.
“In relation to an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to five million shillings, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower,” says the new law.
Commercial banks, betting firms, technology companies such as Safaricom, Airtel and Telkom Kenya, media groups, retailers, hospitals and hotels are among those targeted due to the vast amounts of customer information they hold.
Employees and government agencies who leak private customer data to third parties will face stiff fines and jail terms under the new tough laws that seek to shape how institutions collect, use and store personal information.
Some financial institutions are required to collect detailed customer information for anti-money laundering, tax and accounting reasons.
Data security compliance has also been a key issue for the gaming industry.
The fast-growing gaming industry runs primarily on transactions, often large ones.
Like finance and banking institutions, casinos and betting firms must be diligent in guarding against cybersecurity threats, especially as mobile and online transactions have become the norm.
The gaming industry also relies on computer systems for operating gaming devices, gaming floor security, and gathering and storing player data, among other functions, all of which can be targets for hackers and cheats, experts say.
Betting firms licensed to operate in Kenya have hit 100, defying a government’s policy to clamp down on gambling through imposition of higher taxes both on the companies and punters.
The list of betting firms licensed for the year ending June published by the Betting and Licensing Control Board (BCLB) shows the number had increased to 100 from 76 in a similar period a year earlier—reflecting a 31.5 percent growth.
The law applies to the processing of personal data, which it defines as information “entered in a record, by or for a data controller or processor, by making use of automated or non-automated means.”
Health insurance and providers of health care also face stringent fines in case they breach the privacy of patients by sharing such data with third parties.
The law, however, exempts information exchanged between State agencies.
In May 2018, the European Union (EU) introduced General Data Protection Regulation (GDPR) which saw Facebook and Google face several lawsuits from consumers who accused the companies of coercing users into sharing their personal data.
A complaint against Facebook was filed with Austrian data regulators while another one against tech giant Google was filed with French regulators.
Popular networking site WhatsApp was also slapped with a suit lodged with German regulators while another social site Instagram saw a suit filed with Belgian regulators as soon as the law took effect.
Data Commissioner Immaculate Kassait said earlier this month there is an increased appetite for data protection in line with regulatory compliance under the Data Protection Act whose commencement date is July 14.
"Data protection is the new oil for businesses locally and globally and most have realised this as the possibility of a breach could affect them with either bad reputation or low revenues so many are ensuring that they are compliant,” she said.
The scramble to comply by Kenyan firms will create new job opportunities for Kenyans, said UK-based data protection consultant Akin Oyegoke the managing consultant of Johan ICT, a data protection-focused firm.
“Any organisation that wants to work effectively needs to ensure the safety of their information by implementing a data protection framework which ensures that sensitive data is only accessible to approved parties,” said Mr Oyegoke.
“It also prevents criminals from being able to maliciously use data and helps ensure that organisations meet regulatory requirements.”
After the outbreak of the Covid-19 pandemic, many businesses and individuals across the world resorted to virtual business transactions making them vulnerable to operational risks due to incorrect transaction processing or compromise to the data integrity, data privacy, and confidentiality.
Apart from technological errors, human factors such as negligence, employee fraud, hackers, among others are some of the potential sources of operational risk for firms, warns Mr Oyegoke.
Data, he said, protection frameworks require controllers and processors to assess and maintain security in their data governance systems, including disclosing data breaches to the data protection authority and in some situations to the relevant data subjects.
A typical data protection framework will also include establishing organisational and technical measures, such as appropriate accountability documents as well as user access rights among other measures.
This promotes consumer trust and increased use of digital tools, which in turn incentivizes investment, competition and innovation in the digital economy.
