Regulator rejects calls to grant SMEs free access to personal data


CA Acting chief executive Mercy Wanjau. FILE PHOTO | NMG

All firms will have to obtain clearance from the industry regulator before they can collect personal data from Kenyans if a proposed law is passed in its present form.

The Data Protection Bill, 2019 requires all data processors and controllers –whether small and medium-sized enterprises (SMEs) or multinationals – to be registered by the Communications Authority of Kenya (CA).

The CA has rejected calls to exempt small and medium-sized enterprises (SMEs) from the mandatory registration in order to encourage their growth.

Acting chief executive Mercy Wanjau told Parliament that such a move would compromise the security and sensitive information and leave Kenyans exposed. “We don’t want to open the door for SMEs carrying sensitive data that would make us very vulnerable so that they grow,” she told MPs.

The Data Protection Bill, 2019 proposes that no person shall act as a data controller or data processor unless registered with the Data Commissioner.

The Bill currently under deliberation by the National Committee of Communication Information and Innovation defines a data controller as a natural or legal person, public authority, agency or body which determines the purpose and means of processing personal data.