Personal Finance

What data protection law means for Kenyan firms

Data sourced from Kenya is now safeguarded.
Data sourced from Kenya is now safeguarded. FILE PHOTO | NMG 

In daily interactions, people give out a lot of their personal data knowingly or unknowingly.

Take the example of apps. Before you download them, it is a precondition to allow the creator access to your personal information like videos and photographs. Usually, you have to accept the terms and conditions before you access the app. Most people do not read the details but are quick to accept whatever terms and conditions offered.

Many times after downloading an app, you have no control of what its creator will use your data for. Under most of the terms and conditions, consent is given to the app creator to do many things with your data, including third party sharing.

A lot of personal data is given out during online activities. Third parties are able to access this information and use personal data for various purposes like marketing. Digitisation has enhanced data exchange. Before accessing most services you are required to give out your personal data. How secure is THIS?

A few weeks ago Kenya passed a data protection law whose foundation is the right to privacy. Article 31 of the Constitution gives citizens some level of data privacy in communications.


The Data Protection Act, however, comes in to provide a legal framework on personal data usage, especially on digital platforms. Last year, the European Union passed the General Data Protection Regulations (GDPR) and the Kenyan data protection law is said to be GDPR compliant.

There are a lot of provisions in the law, which are important to read ahead of enforcing the law.

The data protection laws will bring about several changes in the business environment.

One is that almost all businesses will have to put in place structures and operations to ensure compliance.

Most businesses handle data. For example, when a client procures your services, you usually have a client database containing information about the client.


Therefore, this law will be applicable to businesses that either control or process data.

My interpretation is that as long as you are in direct control of another person’s data then the law applies to you.

The law sets out several requirements that must be put in place when handling another’s personal data and this includes processing and profiling.

The data must be handled lawfully, accurately and the data subject’s consent must be given before it is shared to third parties.

In the case of a business, when a client gives you personal information, then you have an obligation to honour the law’s provisions when interacting with that data.

For example, you cannot disclose their information to others without seeking consent.

Structurally, the law requires controllers and processors to nominate data protection officers whose main duty is to ensure compliance with the law.

This is especially so for businesses that are regulated and licensed by the government, for example, banks.

Therefore, there may be more demand for professionals with data protection skills such as IT experts.

Data sourced from Kenya is now safeguarded. This is crucial, especially in the wake of the Cambridge Analytica data scandal and the influence of the 2017 Kenyan elections.

Global entities setting up in Kenya may have to be compliant with data protection laws. Most are GDPR compliant anyway

There is a state agency that will deal with enforcement and overseeing protection in Kenya.

The impact of this law will take some time to be realised but it is prudent to prepare in advance.