The Office of Data Protection Commissioner (ODPC) wants companies and businesses that are non-compliant in data registration denied operating licences.
The ODCP is set for talks with regulators in sectors including insurance, investment banking, betting and gambling, telcos and hospitality to have data registration as a condition for issuance of operating licence.
The office is now pushing for amendments of sector regulations to reflect this requirement, citing the Central Bank of Kenya (Amendment) Act 2021 that saw mobile money lenders fall under CBK oversight and compelled them to have a certificate in compliance with the Data Protection Act.
“We are embarking on discussions with regulators so that it becomes a pre-condition for on-boarding you for your license. It is in the interest of everybody,” said Data Protection Commissioner Immaculate Kassait.
The regulations require all public and private entities that deal with personal data to register including NGOs, churches and businesses operating CCTV systems outside their premises.
The requirement covers firms and organisations that process personal information for canvassing political support, gambling, crime prevention and prosecution of offenders.
Others include schools, hospitals and hospitality industry firms excluding tour guides, property management real estate firms, of financial service providers, telcos, direct marketing, transport service firms and businesses that process genetic data and any other organisations with human resource functions.
Early this year, CBK Amendment Act was enforced and has given the banking regulator powers to license and oversee digital credit providers.
Digital lenders had constantly been blamed for breaching the confidentiality of information of borrowers who default on loans and hiding terms of their loans, opening an avenue for predatory lending.
The tightening of data protection rules follows reports that more than a fifth of Kenyan companies shared customers’ financial and personal information with third parties without the client’s consent for purposes of analysis, processing transactions, sending SMS alerts or to advertisers.
ODPC will also list companies that have complied on their website for their customers to see after they have been granted the registration license.
