The commodification of data has led to its description as “the new gold” with companies collecting, analysing, manipulating, buying and selling data to get a competitive edge.
As with any valuable commodity, there has been an increasing concern in protecting this asset from exploitation and unauthorised use.
Parliament in November 2019 enacted the Data Protection Act of 2019 to give effect to the Right to Privacy for all individuals as provided for under the Constitution.
While the Act has been in force, its implementation and effect has yet to be fully realised as, Immaculate Kassait recently took her oath of office as Kenya’s first data protection commissioner on November 16, last year. Her immediate task will be to implement the provisions of the Act.
The Act is a major development that will require significant changes to the operations of all Kenyan private and public entities.
Is your business compliant?
Let’s begin with an assumption – a robust data privacy programme has not been at the forefront of your mind, or if it is, it is not until recently that you have had to get into the weeds of your organisations’ compliance with the Act. You are aware that the Act exists, however, you are not across all the tenets of data privacy.
Maybe you have been incentivised to put together a data privacy programme after recently learning that the data protection commissioner (DPC) may impose a penalty of up to Sh5 million or one per cent of your preceding years’ annual turnover (whichever is lower) if found guilty of breaching provisions in the Act.
Perhaps the following examples will serve to test your organisation’s readiness with a few of the many obligations under the Act.
However, given the recent appointment of the DPC some of these obligations are yet to be implemented and enforced. It is, nevertheless, likely they will be in the near future once the DPC office is fully established and subsidiary legislation enacted.
Registration: If you are a data controller or processor, you will have to be registered and licensed by the DPC.
Breach: Where there has been a breach, you are required to inform the DPC in writing within 72 hours of its happening. Should you surpass the three days, you are to attach the notification of breach with reasons explaining the delay.
Assessment: In cases where processing of personal data is risky and highly likely to result in a breach, you are required to carry out a data protection impact assessment (DPIA).
Commercial data: If you intend to commercialise personal data, you must anonymise it after receive consent.
Human involvement: Fully autonomous automated systems in processing of personal data is generally not allowed. For example, if your application involves solely the use of Artificial Intelligence algorithms to process data subject’s data for of any kind outcome (such as to assess their eligibility for a loan), it is likely that such applications are not legal unless a human is involved in the final decision.
The above notwithstanding, the Act is now in force and you need to be compliant.
Based on your readiness, you will need to source the expertise to implement your data privacy programme. Many lawyers and management consultants will take the work. However, whilst any lawyer can interpret legislation and draft policies, there are not many with the specific expertise to competently advise, train and develop a comprehensive data privacy programme for your organisation.
As a broad example, it is common knowledge that the Act was influenced by the General Data Protection Regulation (GDPR) in the European Union. Fortunately, to ensure its efficacy in Kenya, it has been localised in many areas, thanks in part to a few individuals with the requisite expertise who engaged government during the public participation phase of its drafting.
I participated in this process, leading a submission from the Centre for Intellectual Property and Information Technology Law (Cipit) a think-tank based in Strathmore University, where I was a technology law policy consultant at the time.
Beyond this, a cursory glance at some of the requirements of the Act, for example those outlined in Section 41 of the Act (Data protection by design or default) indicate that any comprehensive solution you seek should include individuals with technical skills and competency beyond law.
Cybersecurity experts will be of particular relevance as they are able to undertake offensive security checks to identify, validate and assess the risk of any data security vulnerability that may exist within your organisation.
Many functions of your organisation will be impacted by privacy concerns. Your privacy programme and strategy (the why) must consider these and be comprehensive enough to enable the development of a robust privacy policy framework (the what).
Beyond regulatory compliance, it is incumbent of you as a good corporate citizen to ensure that the personal data of Kenyan citizens you hold is protected.
