Building trust – engaging data privacy in Kenya
Jose Almeida
?? Freelance Data Consultant/Advisor ? Data Strategy ? Data Governance ? Data Quality ? Master Data Management ?? Remote/Onsite Consulting Services in EMEA
I wrote the text you’re about to read more than a year ago.
It was written before the Data Protection Bill became the Data Protection Act, before the first Data Protection Commissioner being nominated, leading to believe that much has changed since then - Has it?
It was also written before COVID-19, which turned out to be a real game changer when it comes to data and all related with its privacy and protection.
The pandemic accelerated the notion of living in an era of digital complexity.
Organizations had to turn long term plans for digital transformation into short term initiatives, unexpectedly the world moved to remote work, remote transactions and communications, and the digital delivery of core services.
These changes have suddenly increased the challenges in data privacy and protection.
All of this led me to give this text a second life, a second chance out there.
One last note: To my friends that have been taking their time to discuss this with me: Asanteni sana marafiki zangu.
Building trust – engaging data privacy in Kenya
Kenya is undergoing a series of changes in the data privacy regulations, and Kenyan companies are completely off guard as these changes are turning up faster than the organizations can adapt to it.
Regulations like the Data Protection Bill or new rules from the Central Bank of Kenya, are putting an enormous pressure on organizations, creating an entirely new reality to which organizations need to adapt fast.
Ensuring you comply with the Data Protection Bill can open the door to additional benefits attainable in understanding and protecting customer data. It's a mistake for organizations to view compliance just a financial burden. There are real benefits. Organizations must see it as an opportunity to transform their approach to customer data and not simply as a matter of compliance.
At first glance the Data Protection Bill presents a series of challenges, effectively raising the bar for the protection of privacy and the lawful processing of data.
But problems provide opportunities, and efforts to comply with the Data Protection Bill can bring several benefits for organizations, going beyond data processing to the delivery of better services and outcomes.
Once in place the Data Protection Bill will change the balance of privacy rights against the free flow of data. People will have the right to ask for the data an organization holds on them, for it to be transferred or erased on their instruction, and to prevent it being shared with other organizations.
It will introduce new rules on what constitutes the lawful processing of data, with an emphasis on explicit and unambiguous consent from the subject and extending to any third party responsible for the processing. Requirements and penalties.
There will be requirements for a public authority to have a data protection officer, to carry out risk assessments on the processing of sensitive data, and to report any data breaches within a specific timeline. Along with all this there will be punitive penalties for organizations that fail to comply.
These are significant challenges, but it must be understood that they come in response to the explosion of personal data that has come with the emergence of digital technology and the internet, and amount to significant steps forward in personal privacy rights.
Organizations need to recognize the challenges, but they should also be able to identify significant opportunities. It is an area where a solid data strategy helps to realize the benefits.
What you don’t know will hurt you
The most urgent to address is to know exactly what data the organization has, on whom, where it is kept. Only after an organization has knowledge about its data, knowing it across the silo ecosystem, being able to do full lineage of the data, and fully understand its life-cycle.
Only then it can move to address data subject access rights, consent, breach response, data processing record keeping, and more.
At this point instead of fighting the siloed ecosystem, that is still the major challenge for any analytical initiative but also the natural evolution of every large organization, it’s the moment to govern the data, regain control over the data’s quality, origin, ownership, the key elements of a successful data governance program. Data dictionaries, business glossary, and data lineage, defining data and terms across all business units, providing information about the source, age, and inter-dependencies of data, laying out the sources of data, it’s usage, relationships between data sources, data quality dimensions and scores, data owners and stewards.
The bottom line - Trust
In industries dependent on attracting and keeping customers, that handle and work with customer data, it essential to have clear objectives when approaching this challenge. Data protection might be considered a compliance issue, but the risks are higher than compliance.
There’s a growing trend for customers to prefer companies that have an ethical approach to data. The view of the Data Protection Bill being just a compliance issue, might hold organizations from following a market tendency that is gaining strength.
Organizations that can show they are ethical and responsible about their customers data, will be gaining a competitive edge against their competition and getting their customers support in the process. Compliance with the Data Protection Bill is just the beginning of this process.
The existence of a clear data strategy, with focus on trust, based on ethical and transparent data practices, making sure that customers know how, when and for how long their data will be used is an opportunity to make customers buy in to an organization, its culture and principles instead of just products.
Something else is also changing, the customers are losing their tolerance for data security failures and the awareness for these issues is growing, as some recent cases have shown (Cambridge Analytica and Facebook), and the probability to stop doing business with organizations that mishandle or are negligent data is greater than ever.
About the author
With over 20 years’ experience, Jose Almeida’s Data Management career has focused mainly in the areas of Data Governance, Data Quality, Master Data Management, ETL, Data Migration and Data Integration, with experience in worldwide projects in Europe, Middle East and Africa across a wide range of realities and different clients and industries, enabling organizations across the world to proactively manage their data asset and to address their challenges and gain more value from their data, focusing on providing solutions through the usage of best-of-breed technologies and methodologies.
Currently providing advisory and consulting services on data strategy, data governance, data quality and master data management.
Global Supply Chain Leader | Transformational Operations Executive | AI & Digital Transformation Advocate | Champion of Inclusion, Diversity & Circular Economy | Driving Sustainable Supply Chain Strategies
4 年Jose Almeida, would you agree with me that the Huduma Namba presents a case study for the challenges faced in implementing the Data Protection Act in Kenya? The implementation is fraught with legal challenges and whereas the courts have provided guidance in terms of the implementation - the card does not replace the existing/ multiple databases that carry personal data (National ID, Driving License, Passport, NSSF Card, NHIF Card, Voting card etc), it is not clear as to what is deemed personal data vs personal security data, the extent to which an individual can withdraw the consent on the use of personal data etc.