Personal Finance

Future belongs to data privacy compliant firms


Some­time back the Cambridge Analytica scandal happened and what was clear from was the need for boost data privacy.

Data privacy is currently a global issue and there are new developments on regulations. Compliance with the new regulations will be crucial for Kenyan and regional businesses trading in the European Union (EU).

In May 2018, the EU passed the General Data Protection Regulations (GDPR). These are applicable to businesses that are resident in the EU. It is also applicable to nonresident businesses that are offering services or trading with EU clients whether or not those clients are at the time residing in the EU. A lot of Ken­yan and re­gion­al businesses fall under the second class and therefore the GDPR would be applicable to them.

Here are a few real examples of common businesses to which GDPR would apply. A Kenyan-based tours and safari business that sources clients from the EU would have to be GDPR compliant. A locally-based law firm serving EU citizens such as expatriates living in Kenya would have to be GDPR compliant. A Kenyan bank serving EU corporates that are based in Kenya, would have to be GDPR compliant. A busi­ness with an expansion strategy targeting the EU market would have to be GDPR compliant. There are many more examples and it is advisable to consult your lawyer to clarify if GDPR is applicable to your business.

The importance of finding out if GDPR is applicable is mostly for compliance and also for alignment. There are serious repercussions for businesses that are not GDPR compliant where they ought to be. There is also the reputational risk a business may face for being GDPR noncompliant.


The good news is that a business that is GDPR compliant improves ease of entry into that market. For example marketing your business as a GDPR compliant venture based in Africa, would definitely put you ahead of your peers in terms of sourcing for the EU market.

GDPR rules are too lengthy to highlight in this column, however, the same are available online. To prepare for compliance you will need to seek expert advice of a lawyer and a data protection officer. It is a very technical process. However, my view is that it is a worthwhile process keeping in mind the benefits.

There is still a lot of confusion even in the EU regarding the interpretation of these regulations. Many opine that the regulations are a hindrance to some aspects of ICT and innovations for example artificial intelligence.

Inasmuch as GDPR is still a new and relatively grey area even in the EU, I would advise businesses to consider compliance as a way to attain a competitive advantage. I would include GDPR compliance as an opportunity when undertaking a strength weaknesses opportunities threats (SWOT) test. I would see compliance as a means of pos­itioning my business for the global market and beating noncompliant competitors. I see GDPR compliance as an opportunity to unseat noncompliant dominants. So by all means I would go for it.

I believe the Kenyan regulatory environment will soon catch up with the global pace, after all there is the Data Protection Bill which largely mirrors the GDPR of the EU. Data privacy is also a constitutional right under the right to privacy. Therefore it is advisable to begin looking into restructuring our businesses to be compliant.