Boost for data privacy as new rules take effect


Data Protection Commissioner Immaculate Kassait. FILE PHOTO | NMG

Companies who breach privacy laws are now set to feel the full weight of the new data act after it received parliamentary nod last week.

In compliance with the law, all data controllers and data processors will now be required to register with the office of the Data Protection Commissioner.

A company found in breach of the new data regulations face fines of up to one percent of their annual turnover after the parliamentary committee on delegated legislation passed the data laws.

The approved set of regulations includes the data protection (General) regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

“In relation to an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to five million shillings, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower,” the data Act reads in part.

The fines will require organisations to review their data privacy policies to make them easier to understand and prove compliance.

The data protection (General) regulations, 2021 and the complaints handling regulations took effect from March 14, while the registration of data controllers and processors will take effect on July 14 2022.

The Data Protection (General) Regulations, 2021 provide for rights of a data subject and limitations to commercial use of such information.

It also explains the roles of data controllers and processors, the communication of data breaches and the transfer of data outside Kenya.

In the event of commercialisation of data, a data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence.

He or she is liable, on conviction, to a fine not exceeding Sh20,000 or to a term of imprisonment not exceeding six months, or to both fine and imprisonment according to the data protection act.

“The approval of the regulations by Parliament marks a huge milestone in the government’s efforts to safeguard personal data of the people of Kenya,” ICT Cabinet Secretary Joe Mucheru said.

[email protected]