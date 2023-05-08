Columnists How organisations use data can make at an ally or enemy

By SHRUTI SHAH

The Kenya Data Protection Act (“the Act”) received Presidential assent in November 2019 and regulations under the law were gazetted in 2021.

The main purpose of the regulation is to protect individuals – such as you and me - from having their personal information misused, mishandled or exploited.

The Act does this by setting out the rights of individuals and by placing responsibilities upon organisations that handle personal information and further, placing onerous requirements on all entities that hold or process personal and sensitive data.

Each organisation handling personal data will need to undertake a full inventory of the same or processes, perform a gap analysis on its existing policies, procedures and practices with respect to data protection and management of personally identifiable information, remediate the gaps and put in place the necessary policies, disclosures and documentation for compliance with the Act.

Certain organisations will also need to register with the ODPC as data controllers or data processors.

Kudos to the ODPC for setting a clear roadmap for data privacy in Kenya – they have also emphasised that the intention of the Act is not to stop the processing of data but to ensure it is done in adherence to data protection principles whilst ensuring there is a lawful basis.

We’re living in turbulent times – from the pandemic to war in Europe, natural disasters unfolding and watching the devastating impacts of climate change.

To add to the mix, the haphazardness of the financial markets bringing to question anything we learnt at university or business school.

As business owners and leaders, we are riding some rough waves. Dealing with additional compliance requirements is the last thing we need.

However, the Act and its requirements could be a business enabler giving you a competitive edge against your competitors.

So rather than complying just for the sake of it and to avoid any enforcement notices of penalties, there are other benefits:

The Act forces organisations to have a security strategy in place for each piece of data it processes – whether hard copies of documents or information stored on the cloud.

Having a solid framework will help avoid breaches in future and loss of data, which would have huge ramifications.

The first stage of the data privacy compliance journey is to conduct a data audit via a data mapping exercise.

This helps an organisation understand exactly what personal information and what sensitive personal parts the organisation holds, where the data is held, how and in what form the data is held and various data processes applied.

It gives a better understanding and appreciation of the data that flows into, through and out of the organisation.

The process helps you think about how to minimise the various forms of data and to only hold what is necessary and enables better data organisation and management practices.

It will also help firms appreciate the volume of information that is being held that adds no business value (but enhances costs and compliance requirements) and will enable a clean-up to be conducted, eliminating data that is not required.

Compliance with the Act can help build more trusting relationships with your customers and the public generally.

