Data Protection according to the Cambridge Dictionary are laws and regulations that make it illegal to store or share some types of information about people without their knowledge or permission. The Data Protection Act is a law that implements Article 31(c) and (d) of the Constitution, which deal with the right to informational privacy. Therefore, the Act seeks to enable one to exercise control over the use of their personal information.
When handling people’s personal data you are entitled to assure them of its privacy. Since people prefer to engage with individuals or organizations that guarantee the security and privacy of their data.
The data protection act was implemented in 2019 but its registration started in 2022. If a data breach occurs, you must report the incident within 72 hours.
As things currently stand, As a business owner if you don’t adhere to Data Protection Act you risk the following;
- A fine of 5 million Kenyan shillings.
- 1% of an organization’s annual turnover
- Brand reputation
Its therefore in the best interest of your firm/ organization to ensure you follow the rules of Data Protection Act.
Kenya promulgated data protection act
The Data Protection Bill 2019 follows the path taken by the European Union in enacting the General Data Protection Regulation (GDPR) in May 2018. Moreover, it aims to enhance data privacy and protection for individuals.
Purpose of the act
- It gives effect to Article 31(c) and (d) of the Constitution of Kenya, which encloses the rights to privacy. Consequently, individuals are afforded greater protection of their personal information.
- The act established the office of the data commissioner.
- It regulates the processing of personal data.
- To provides for the rights of data subject and obligation of data controllers.
Data protection principles
- Its used fairly, lawfully and transparently
- The act specifies explicit purposes for which you can use data.
- You must use data in a way that is adequate, relevant, and limited to only what is necessary.
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary
- Data must be handled in a way that ensures appropriate security. This includes protection against unlawful and unauthorized processing, access, loss, destruction, or damage.
- It should minimize collection of data
- Restricts further processing of data.
- Must maintain security safeguard to protect personal data.
Registration of data controller and processor
The act requires that if you acts as a Data Controller/processor you must be registered with the data commissioner. Therefore, if your organization meets the definition of a controller or processor you will need to register as such and renew your registration every two years.
Restrictions on commercial use of personal data
- For the purposes of section 37(1) of the Act, a data controller or data processor uses personal data for commercial purposes when they advance commercial or economic interests by using the personal data of a data subject. This includes actions like inducing someone to buy, rent, lease, join, subscribe to, provide, or exchange products, property, information, or services, or enabling or facilitating a commercial transaction directly or indirectly.
- A data controller or processor who uses personal data for commercial purposes without the consent of the data subject commits an offence. They are also liable, on conviction, to a fine not exceeding twenty thousand shillings or to a term of imprisonment not exceeding six months, or to both fine and imprisonment.
- An opt-out mechanism, as outlined under regulation 15(1)(d), shall: First, provide a visible, clear, and easily understood explanation of how to opt out. Additionally, it should include a process that requires minimal time and effort to complete. Furthermore, the mechanism must offer a direct and accessible communication channel. Which should be free of charge (or involve only a nominal cost ), and be accessible to persons with disabilities.
- A data subject may request a data controller or data processor to restrict use or disclosure of their personal data to a third party, for the purpose of facilitating direct marketing.
Data controllers and Data processors obligations
- Pursuant to section 39 of the Act, a data controller or data processor shall retain personal data processed for a lawful purpose, for as long as may be reasonably necessary for the purpose for which the personal data is processed.
- Subject to section 25 of the Act, a data controller or data processor may share or exchange personal data collected, upon request, by another data controller, data processor, third party or a data subject.
- A data controller or data processor shall develop, publish, and regularly update a policy reflecting their personal data handling practices. In addition, this policy should clearly communicate the procedures and safeguards in place to protect personal data.
- A data processor shall not engage the services of a third party without the prior authorization of the data controller. Therefore, it is essential for data processors to seek approval before sharing any personal data with external parties.
- Subject to section 42(2)(b) of the Act, a data controller shall engage a data processor, through a written contract.
Particulars of the contract
- The processing details, which include the subject matter of the processing, the processing duration, the nature and purpose of the processing, the type of personal data being processed, the categories of data subjects, and the data controller’s obligations and rights, must be clearly defined.
- Data controllers instructions.
- Duty on the data processors to obtain a commitment of confidentiality from any person or entity that the data processors allows to process the personal data.
- The security measures subjecting the data processor to appropriate technical and organizational measures in relation to keeping personal data secure.
- A provision stipulating that all personal data must be permanently deleted or returned upon the termination or lapse of the agreement, as decided by the data controller, is essential. Furthermore, this ensures that data is handled responsibly and in accordance with data protection regulations.
- The auditing and inspection provisions by the data controller.
Transfer of data outside the country
- There should be a copy storage center located in Kenya.
- There should be proof of safeguard outside the country.
- Should have consent of Data subject.
- The transfer should be necessary for performance contract.
Exemptions
- National Security or Public order
- Court Order.
- Prevention or detection of crime.
- Prosecution
- Collection of Tax
Notable interest
- The office of the data commissioner is up and running and very fast.
- More than 2,000 data controllers and processors have registered.
- The significant awareness training by Office of the Data Protection Commissioner (ODPC).
- There are Data Protection (General) Regulations 2021.
Section 31 of the Data Protection Act requires conducting a data protection impact assessment before processing data to identify and mitigate any potential risks.
Penalties for non-compliance
It will be not more than 5 million or in the case of undertaking not more than 1% of its annual turnover of the preceding financial year, whichever is lower.
Individuals will be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.
Increased territorial scope
Data Protection act will apply to all companies processing the personal data and data subjects residing in Kenya, regardless of the company’s location.
Explicit and retractable consent from data subject
The subjects consent must be provided in an intelligible and easily accessible form, using clear and plain language. Moreover, it must be as easy to withdraw consent as it is to give it.
Data subjects rights
As the data subject, you can request confirmation of whether organizations are processing your personal data, including where and for what purpose. Additionally, you can request the removal of all data related to you, exercising your right to be forgotten.
Breach notification within 72 hours
You should notify the data commissioner within seventy-two hours of becoming aware of a breach and as for the data subject; you should inform them in writing within a reasonably practical period.
Privacy by design
Now a legal requirement for the consideration and inclusion of data protection from the onset of designing of systems, rather than a retrospective addition.
Data inventory
Organization must maintain a record of processing activities under its responsibility or in short, they must keep an inventory of all personal data processed. The inventory must Include the multiple types of information, such as the purpose of processing.
Data protection officer
An organization may need to appoint a Data Protection Officer to demonstrate compliance with the act, depending on the type of personal data and the intensity of processing activities.
Conclusion
Data protection act recognizes the concept of pseudonymization. A renewed emphasis on organizational accountability will demand proactive robust privacy governance. This will require us to renew how we write privacy policies to make these easier to understand and enforce compliance. Understanding what data is collected and where it is stored will make it easier to comply with new data subject rights.; rights to have data deleted and to have it ported to other organizations. This will also have an impact on third party venders that businesses work with.