Bars, restaurants, dispensaries, schools and betting companies are among entities in 13 risky sectors that must register with the data commissioner regardless of their annual turnover or number of employees in a new directive that targets previously exempt entities.
The entities have been flagged by the Office of Data Protection Commissioner (ODPC) widening the net for mandatory registration as the rules that took effect on July 14 set in.
The Data Protection Regulations, 2021 were gazetted in January 2022 requiring registration of data controllers and data processors including entities collecting and storing data.
This comes amid increased complaints about lack of data protection laws and abuse of personal, especially by digital lenders, political parties and human resource departments.
The regulations targeted all public and private entities that deal with personal data including non-governmental organisations (NGOs) and churches.
Initially, organisations with an annual turnover of less than Sh5 million or less than 10 employees had been exempted from registration.
But the office has now restated that going forward, despite the size of the business or number of employees, as long as an entity is in a position to collect and hold personal information, they will now be forced to comply.
Entities mentioned include law firms, property managers, real estate agencies, and businesses providing financial services including mobile money agents, digital lenders and Saccos.
This also includes processors of genetic data like medical research companies, and medical labs; private and public healthcare providers including clinics, mental healthcare centres and e-health providers.
Among them also are training providers, schools whether primary, high or tertiary level and hospitality firms like restaurants, bars and hotels. Tour guides are excluded.
Telecommunications firms and digital ride-hailing service providers including Uber, Bolt, Little and Hava will also be required to register.
“Entities processing personal data for these following purposes, or in those sectors, regardless of their annual turnover/revenue or the number of employees, are not exempt from registration,” the Office of the Data Protection Commissioner stated.
The registration will be done electronically, through the website of the Data Commissioner where they will be issued with a registration certificate.
The registration will be done every two years. The costs for registration range from Sh4,000 to Sh40,000.
Kenyans have in the past complained about illegal sharing of personal information and invasion of privacy by marketing firms and some companies promoting products and services, which also see private security companies collecting data at premises' entrances also register.
Commonly stored data by businesses include ID numbers, phone numbers, employee records, customer details and transactions.
This is set to prevent data from being used for fraud, phishing scams and identity theft or defamation.
Data Protection Commissioner Immaculate Kassait plans to have companies and businesses denied operating licences for non-compliance on data registration laws.
Ms Kassait said she will hold talks with regulators in different sectors to have data registration as a condition for the issuance of an operating license.
This will see bills introduced for amendments of current sectors’ regulations for instance the Central Bank of Kenya (Amendment) Act 2021 which saw mobile money lenders regulated by CBK and compelled to have a certificate in compliance with the Data Protection Act.
The regulations dictate office carries out random inspections of public and private entities to evaluate the processing of personal data and storage.
“Our focus has been on compliance, creating awareness and registration of data collectors and processors and getting our staff on board. Once we get enough people who can help us in terms of inspection, we would go towards that,’’ Ms Kassait said in a past interview with Business Daily.
ODPC will also list companies that have complied on their website for their customers to see after they have been granted the registration license.
The need for data protection compliance follows reports that more than a fifth of Kenyan companies shared customers’ financial and personal information with third parties without the client’s consent for purposes of analysis, processing transactions, sending SMS alerts or to advertisers.
With the rules coming in an election year that has been marked with heated campaigns, political parties and youth political organisations have also been pulled in to register.
This comes after past election years and by-elections periods where personal data - name, address and polling stations – are used for soliciting votes by candidates.
Entities permitted to collect personal data per electoral laws include the Independent Electoral and Boundaries Commission (IEBC), Office of the Registrar of Political Parties and the various registered Political Parties.
A guidance note on electoral purposes by ODPC shows that voters and members are required to be notified of any purpose for the personal data apart from the elections or when it is transferred to third parties.