Ideas & Debate

What Huduma judgment means for your business

case3

Summary

  • Section 31 of the DPA stipulates that where a personal data processing operation is likely to result in high risk to the rights and freedoms of a data subject, a data controller or data processor shall, prior to the processing, carry out a DPIA.
  • The UK Information Commissioner’s Office (ICO) defines a DPIA as a process designed to “systematically analyse, identify and minimise the data protection risks of a project or plan.”
  • In the Huduma Namba case, the High Court held that the State ought to have conducted a DPIA prior to rolling out the Huduma Namba.

Has your business introduced a new process, product or technology that involves processing of personal data likely to result in high risk to the rights and freedoms of your customers after November 25, 2019 when the Data Protection Act (DPA) came into force?

If your response is in the affirmative, then the recent judgment by the High Court on the Huduma Namba rollout implies that your business ought to have conducted a data protection impact assessment (DPIA) failing which your business risks being fined up to Sh5 million or one percent of your annual turnover in the preceding year, whichever is lower.

This may somewhat come as surprise to local data controllers and processors but it is not new at the global stage. In August 2021, the Italian data protection supervisory authority, Garante, fined Bologna Airport for, among other offences, failing to conduct a DPIA on a whistleblowing platform that it had launched.

Section 31 of the DPA stipulates that where a personal data processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a DPIA.

The UK Information Commissioner’s Office (ICO) defines a DPIA as a process designed to “systematically analyse, identify and minimise the data protection risks of a project or plan.” In the Huduma Namba case, the High Court held that the State ought to have conducted a DPIA prior to rolling out the Huduma Namba.

The Office of the Data Protection Commissioner has already published guidelines on conducting of a DPIA. They define a DPIA as “a process designed to identify risks arising out of the processing of personal data and to minimise the risks as far as possible”.

The guidelines set out nine criteria that should be factored in when determining whether you ought to conduct a DPIA. They range from whether you are processing data concerning vulnerable subjects to automated-decision making legal or similar effect.

A DPIA should answer questions such as: What does this process do to your customers? How does it affect them? Could this processing operation lead to discrimination?. Once all questions are answered, the associated risks identified in a DPIA are categorised from highest to lowest risk. The processing entity must proactively take steps to mitigate all identified risks before commencement of processing.

The Data Protection Act also expressly provides that where your process requires a DPIA, then you have to submit your DPIA report to the Office of the Data Protection Commissioner 60 days prior to the processing of the data.

Why then would businesses processing personal data require DPIAs? One reason is the need for consumer confidence once they are aware that you are alive to their rights and that you are deliberately safeguarding them.

DPIA reports will make potential investors understand your business processes better and will make informed decisions prior to making investment decisions. A DPIA will not only ensure that your entity is compliant with the law, but it will also reduce the risks of data breaches.

In February 2020, the European Data Protection Supervisor (EDPS) launched a survey on DPIAs as an accountability tool under the EU General Data Protection Regulation. It established that DPIAs not only led to increased data protection awareness within the institutions, but also ensured that data controllers understood how well their processes scored when it came to protection of privacy.

Fintechs, banks, insurance and telecommunications companies that process personal data and regularly introduce products or technology are required to conduct DPIAs. Depending on the size of an organisation, a DPIA does not have to be a complex exercise. At the very least, businesses need to identify whether a DPIA is needed, what are the related risks and solutions to mitigate or eliminate the risks.

DPIAs can be carried out by data protection professionals, lawyers or information security professionals. On completion of a DPIA all outcomes and recommendations should be reported and signed off. The outcomes should be implemented and integrated into each stage of processing of the personal data.

Closely related to a DPIA is a privacy impact assessment (PIA), which is a systemic evaluation of how a new product or process may affect the privacy of individuals. Such assessments are conducted for purposes of managing, minimising or eliminating any negative impact that may have been identified during the assessment.

Countries such as Australia through the Office of the Australian Information Commissioner have gone ahead and developed guidelines on and PIAs.

Ultimately, your business is better placed to meet the compliance requirements of the DPA if it has a checklist or a tool to determine whether any new activity or activities meet the threshold of requiring a DPIA or not.

Gadhia is an Advocate of the High Court of Kenya and OneTrust Fellow of Privacy in Technology

Karanja is a data protection compliance & commercial law practitioner