By NICHOLAS MULILA

Issues around the collection, use and protection of personal data have gained traction over the years.

In Africa, Kenya is among the countries that have sought to regulate access and use of personal data by passing a Data Protection Act in 2019.

Our world is rapidly evolving. The fears and concerns that we have today are not those that our forefathers had, and we must move to address them.

Forty years ago, it was almost a status symbol to have a fixed-line phone at home and your name and number published in a publicly available telephone directory so that people could contact you.

Today, we are more concerned about privacy and if someone calls you on your mobile out of the blue, you ask — how did you get my number?

The press is awash with stories of how our privacy is being impacted. In the telecoms industry, there is concern about customers receiving unsolicited marketing messages, or fraudsters routinely calling people armed with their personal information.

It is for this reason that Safaricom #ticker:SCOM , for example, has been educating customers about data privacy, which entails the protection of personal information.

Issues around the collection, use and protection of personal data have gained traction over the years. This has resulted in the institution of laws and regulations looking to ensure that individual rights are protected, and appropriate consequences and penalties defined for non-compliance.

The most influential in this space globally are the General Data Protection Regulations of the European Union, which impose fines and penalties for privacy breaches. These regulations were passed in April 2016 and were implemented from May 2018.

In Africa, Kenya is among the countries that have sought to regulate access and use of personal data by passing a Data Protection Act in 2019. This is a step in the right direction and is a boost in the quest to inform the citizenry – individuals and corporate - of what constitutes personal data.

The Act also sets up the Office of the Data Protection Commissioner (ODPC) to regulate data protection in Kenya.

What do these laws and regulations seek to protect us from? They look to protect any information that may identify an individual such as name, identity card number, gender, location, or any other piece of personal identifiable information.

Individuals or organisations who collect, process, or store such information are provided guidelines on the dos and don’ts of doing so, including the rights of an individual with regards to their personal information.

As part of our commitment to our customers and partners, Safaricom has put in place extensive measures to implement the Data Protection Act. Our efforts go beyond compliance; we protect our customers’ data to maintain their trust. Our reputation depends on it.

We have a fully-fledged team within the organisation whose main job is to oversee and ensure that Safaricom is protecting data. We have also set out data protection policies to guide how personal information is collected, processed, stored or destroyed.

Every time we begin a new process, system or product that involves use of personal information, we conduct a data protection impact assessment to ensure that the correct processes and controls are in place to keep personal information safe.

Safaricom has provided a data privacy statement on its website to explain to all its stakeholders how it collects, uses, and protects their information, and we continue to innovate ways of educating and empowering our customers around data protection.

Organisations looking to ensure compliance under the provisions of the Data Protection Act can take several factors into consideration. For starters, it is a requirement for any person or entity processing personal data to inform individuals of the purpose of doing so.

This can be in the form of a privacy notice on your website and/or clauses within your terms and conditions or data-sharing agreements. In addition, there are rules that guard against information collected for a particular purpose being used for another without adequate safeguards.

It is important to ensure security of processing data and limiting access to personal information. There are several sets of personal data we get to interact with on a day-to-day basis, whether it is payroll or health information for your employees or customer information for contacting them.

Personal information must only be shared on a need-to-know basis and kept secure against unauthorised access.

Rules regarding marketing messages have been set out whereby all organisations must seek permission before sending marketing messages directly to individuals. They must also provide subscribers a way of opting out of the marketing messages at any time, should they wish.

A data protection impact assessment (DPIA) is also necessary. Prior to undertaking any processing of personal information that could pose a high risk to individuals, a DPIA needs to be conducted to determine the risks and the adequacy of the safeguards in keeping personal information secure.

This helps ensure that you keep all personal information safe and identify all the processes and controls required to do so for new products or systems. It is also important to carry out independent DPIAs of your organisation to guard against any unintended gaps in your privacy programme.

Finally, it is a requirement that notices of data breaches must be made to the ODPC. Breaches that result in unauthorised access to personal data and which may pose a high risk to the rights and freedoms of an individual or groups of individuals must be reported to the regulator.

As the data protection and privacy landscape continues to evolve, all organisations and individuals who handle personal information should ensure they are doing so in the best interests of the people whose data they are processing — be they customers, employees, suppliers, investors, or other stakeholders. In this way, we can all work together to secure personal data.

Mulila is the chief corporate security officer at Safaricom Plc