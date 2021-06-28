Ideas & Debate Why Kenyan firms need a data protection officer

With the world generating data at a faster rate than ever before, the exigency of data protection and privacy has never been more profound. It is estimated that by 2025, 463 exabytes of data will be created each day globally —that’s the equivalent of 212,765,957 DVDs per day!

This is according to an April 2019 World Economic Forum publication, which also indicated that there were 294 billion emails sent daily. The volume of data and information generated globally and in Kenya is truly staggering.

As data becomes enshrined in our economy, it is also earning value and the public increasingly understands and cares about the right to privacy as codified in both Article 31 of Kenya’s Constitution and Section 26 of the Data Protection Act (DPA). Consequently, companies controlling and processing extensive amounts of personal data need to get their house in order now.

The reputational and financial risks of not doing so could be significant, especially for small and medium-sized firms.

One way of mitigating those risks is to appoint a qualified and resourceful data protection officer (DPO). Section 24 of the DPA provides for the designation of a DPO by organisations which undertake core activities that require systematic monitoring of data subjects or that consist of processing sensitive personal data.

The DPO role can be either inhouse or outsourced. The role of today’s DPO has been clarified in a thorough and responsible way already in Europe. The period between the adoption of the European Union General Data Protection Regulation (EU-GDPR) on April 14, 2016 and its coming into force on May 25, 2018, saw the demand for DPOs grow by 709 percent, according to a jobs site.

A similar trend in Kenya exists, with DPO job vacancies listed on sites such as LinkedIn and Fuzu, while at the same time some entities are reassigning inhouse lawyers to take on the role of a DPO.

One obvious question that comes up in the context of selecting a DPO is what his or her qualifications should be.

The Act is not very clear on this point and merely stipulates that the person nominated as DPO should have “relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection”. The draft regulations published by the Data Commissioner and her taskforce earlier this year did not contain any further guidance on the role of the DPO.

By way of contrast, globally under the GDPR, a DPO is required to be an experienced expert in data protection law.

From a practical point of view, organisations nominate DPOs and the right candidate should demonstrate, at a minimum, familiarity with the DPA, including knowledge of data subject rights, obligations of controllers and processors, penalties for breach and the role of the Data Commissioner. Such knowledge is fundamental to a DPO’s ability to advise an organisation on compliance with the DPA.

The DPO’s principal role in an organisation is to ensure his or her organisation processes the personal data of data subjects such as employees, customers and suppliers, in line with the DPA. To do so, he or she needs to map the organisation’s data and understand its people and processes, among other priority areas.

It is the people within an organisation who will implement the processes recommended by the DPO and therefore, the DPO may work to develop an interactive and practical e-learning solution with core modules for HR, sales and other functions that process significant amounts of personal data.

Ideally, a DPO should be able to advise and implement the bare minimum of regulatory compliance requirements and understand that customers are now scrutinising an organisation’s privacy safeguards prior to deciding whether or not to use its products or services.

A recent report by Securys Limited dubbed “Consumers Act on Privacy” revealed that in major European markets, “not only do 80 percent of people pay considerable attention to privacy before making a purchasing decision, 60 percent of them actively select for good privacy over price”.

The research also showed that for over one-third of consumers, better privacy was more important to them than lower prices.

A DPO also needs to understand existing risks and preferably anticipate others depending on the processing activities. The rise in privacy laws in different jurisdictions, such as those regulating data, requires a DPO to be conversant with a network of different privacy laws in multiple jurisdictions.

In fact, most advertisements for the role of a DPO locally require one to be conversant with not just Kenya’s Data Protection Act but also EU-GDPR among other laws from other jurisdictions depending on where the organisation operates.

Finally, for a DPO to be effective in helping an organisation mitigate its data protection and privacy risks, the he or she needs to be supported and empowered in the role.

The DPO should be independent, in that his or her reporting line should be to senior management responsible for managing risk in the organisation such as chief risk officer, chief compliance officer or chief legal officer.

He or she should not be assigned duties that would conflict with the DPO role, for example by being put in charge of a function that processes a large volume of personal data, such as HR or customer relations.

The DPO should also be able to ask the hard questions of staff at all levels of the organisation and count on management to promote collaboration between the DPO and all other parts of the organisation as well as facilitate access to information.

For organisations that process large amounts of personal data as a core activity of their operations, the role of DPO is critical for the effective management of data protection and privacy risks.

It is important to ensure that the person appointed to that role has the right attributes, including relevant knowledge of the law, an understanding of the organisation’s main activities and an understanding of the broader industry in which the organisation operates.

The board and senior management of the organisation should empower the DPO to perform his or her role independently and with support from the rest of the organisation.

Githaiga is the Head of Regulatory Compliance & Advisory at PwC Kenya. Karanja is a data protection compliance and commercial law practitioner.