"Small businesses are an easier target because data security and protection often play second fiddle to the more pressing issues small business owners must conquer on a daily basis.”
This is an observation made by South African freelance writer, Warren Kelly, in his blog titled, ‘Small business data protection: low hanging fruit’.
As the deadline for data controllers and data processers to register with the Office of the Data Protection Commissioner (ODPC) fast approaches, a lot of focus has been on the financial services providers and telecommunications companies on their preparedness and compliance with the data protection laws.
We have seen them recruiting data protection officers, in addition to commissioning gap analyses for their respective organisations, now that the Data Protection Act (DPA) and the supporting regulations are in place. However, small and medium enterprises lag behind due to lack of awareness and financial constraints.
Some are still gradually recovering from the impact of the Covid-19 pandemic. These enterprises continue to collect, process and store personal information without proper safeguards in place.
The Micro and Small Enterprises Act defines a small enterprise as “a firm, trade, service industry or a business activity” that has an annual turnover of between Sh500,000 and Sh5 million. This is in addition to employing between 10 and 50 people.
On the other hand, the Data Protection (Registration of Data Controllers and Processors) Regulations, 2021, require small enterprises with 1-50 employees and an annual turnover of up to Sh5 million to register as either data controllers or data processors by paying Sh4,000 as registration fees and Sh 2,000 as renewal fees every two years.
This brings another compliance requirement for small enterprises that process personal information in their core activities.
With this registration requirement and the fact that they ought to comply with the DPA, or face the risk of being fined up to one percent of their annual turnover of the preceding year or Sh5 million, whichever is lower.
In some jurisdictions under the European Union General Data Protection Regulation (EU-DGPR), the fine is administered per breach.
Unlike banks and telecoms operators, most small enterprises may not afford the fines, reputational damage and certainly, not the nuisance value brought about by complaints to the ODPC.
The Micro and Small Enterprises Authority, as established by the Micro and Small Enterprises Act, is mandated to formulate policies and programmes for micro and small enterprises.
A programme on how small enterprises can be better prepared to comply with the DPA is urgently required. This can be achieved in conjunction with the ODPC as part of its awareness campaign.
In Singapore, the Personal Data Protection Commission (PDPC) in conjunction with the Info-Communications Media Development Authority (IMDA) has developed a “Data Protection Essentials (DPE)” programme tailor-made for small and medium enterprises.
Through the DPE, SMEs acquire “a basic level of data protection and security practices to protect their customers’ data and recover quickly in the event of a data breach”.
Further, the DPE programme aims to have SMEs get certified with a Data Protection Trust Mark (DPTM). This helps the certified SMEs build their brand with third parties, and at the same time gain customer trust and increase their competitive edge over non-certified entities.
As part of compliance, banks, insurance companies, telecommunications companies and others that wish to outsource some of their data processing activities to small enterprises will definitely require certificates of registration with the ODPC as data processors, for them to be onboarded as a possible supplier.
Right to privacy
Our economy is becoming more digitalised, and at the same time, consumers are now more conversant with their right to privacy. Consequently, small enterprises need to be deliberate in following principles set out in the DPA.
These include “Data Minimisation” whereby you are only required to collect the data you need. When you purchase a bouquet of flowers from an online vendor, they should not be asking for your date of birth.
However, if you are purchasing alcohol from an online retailer, they should request for your date of birth to verify that you are 18 years and above. This is just but one of the principles that small enterprises ought to observe.
Ideally, the Medium and Small Enterprises Authority in collaboration with stakeholders such as the ODPC, Kenya Bankers Association, telecommunications companies and payment solution providers should commission a survey on whether small enterprises are aware of the DPA and its implications.
The survey should inform the authority on the compliance gaps that exist among small enterprises. With this data, the authority will be better placed to formulate policies and programmes that will facilitate awareness and adherence to the DPA.
The authority should strive to unpack the DPA and the regulations to the small enterprises in a concise manner devoid of any legalese. This way, it will be easy to not just comply, but also propose areas of amendment or still, draft small enterprise-specific regulations.
Karanja is a data protection compliance and commercial law practitioner