Kenya's Data Protection Act, 2019. What to expect

Why the enactment of the DPA was successfully for Kenya?

Since the passing of the Act, many people are still wondering why the firmness; below are the key highlights that triggered the passing of the Data Protection Act, 2019.

• The enactment of the EU GDPR 2018 triggered the entire project.
• To unveil more opportunities for foreign investment in Kenya.
• 2010 constitution has a provision for data privacy however, enacting the DPA was aimed at protecting the digital footprint for Kenyans.
• Aligning of Kenyan Data Privacy practices with the international standards.
• The Increasing need for use of technology in processing more data.
• A lot of data processing in Kenya
• More companies are using AI to sell their products, therefore, the Act’s was designed to protect customers’ privacy rights.
• Companies were not taking care of their customers’ privacy i.e. it is firmly aimed at protecting someone who is not aware of his/her “right to privacy”.
• To put hygiene in the data collection space.
• To ensure that data is processed by legitimate data processors.

Understand the Data Privacy principles below;

• Fairness and lawfulness: The data processor should be fair enough to tell you what they are going to use your data for. They should avoid profiling customers without prior approval. As I mentioned earlier, organisations will have to avoid processing personal data for secondary purpose without the consent from the data subject. When the processor uses your data for other purposes that they didn’t disclose. For example, you register for a loyalty card from a supermarket and after a few days, you receive promo texts, sale, and new products updates from their store. This will have to change. Therefore, businesses should relook their policies and procedures and ensure compliance with the DPA to avoid penalties.
• Transparency: data controller/ processor will be transparent while processing personal data.
• Data minimisation: the data processor should disclose all the data points to the data subject to ensure that the collection process is fair. The question is, what happens when the data subject declines sharing the data but need access to a particular service?
• Storage limitation: the organisations depend on their regulatory authorities will have to review their data retention policies e.g. the data that was collected 10-15yrs ago, is it still needed?. If Data is piled up in silos or Data warehouses, these become honey pots for hackers. Therefore, the justification for keeping data for a long period should be reviewed, redefined and ensure compliance.
• Accuracy: there are also cases of wrong data keyed on legally recognised documents like Passports, National IDs, and Birth Certificates etc. The timeframe for correction of data errors is not clearly defined. Since the DPA regulates the Government agencies, the timeframe for resolving or correcting errors on legal documents whose details were wrongfully captured by government agencies should be clearly stated to avoid delays.

What organisations should do to comply with the DPA? -Implications of the Act to Business.

What is likely to change and How business will response!

• Business should change the way they handle, process and use personal data i.e. organisations should protect their customers’ and employees ’data since the DPA Act cuts across all areas of operation.
• Organisations will have to issue PRIVACY STATEMENTS and communicate them to their clients to ensure transparency on matters –data processing.
• Every entity/business that deals in data processing will have to employ a DPO in their organisations. You can have one DPO for all subsidiaries.
• Include Contact details of the Data Protection Officers in the Privacy Statement or policy to enable data subjects reach out to him/her in case of any concerns /complaints to the company on how their PII is processed. One of the key functions of the DPO will be to Liaise between the DC, Data Controllers and Data Subjects.
• Businesses will only collect data with consent from the data subjects and are supposed to give assurance on the appropriate handling on their PII and if the data subject requests any company the amount of data they have on them, the data processor (company) will have to disclose the details to the data subject. In addition, the organisation processing your information has the duty to notify the data subject the number of data points they will collect and also disclose the secondary purpose for use of your data (if any). In other words, the organisation should notify you if they will share your data at some point to a 3rd Party. The Opt out options should be emphasized, the data subjects reserves the right to understand what the organisation is using their PII is used for.
• Review of the Privacy Policies on the company website. In addition, develop policies for data protection and share such information for these websites.
• Organisations have the mandate to inform data subjects about the new changes on the cookies policy.

Likely Challenges towards the implementation of the provisions of the Act.

• In cases where the data subject fails to share their personal data but need to access a service for example; failing to agree with the Cookies policy. ACCEPT or NOT.
• How consent will be sought in this digital environment e.g. appending digital signatures on the physical documents.
• How soon the incidences should be reported as breaches.
• Determining how much data will be moved from one company to another e.g. Hospitals and insurance companies.
• Ability for companies to shift data from one company to another seamlessly in case the data subject wishes to change the service provider.
• How fast organisations will implement integrations needed for a secure data processing environment.

Way forward

Since the implementation of the Act will be a gradual process, organisations should take note of the following aspects;

• Creating of the awareness and creating a culture for data protection
• Carry out a Data Impact Assessment and submit results to the DC for approval.
• As a data processor/controller, understand that even after the breach has occurred, you are still accountable to protect data of your customers i.e. Make sure that adequate information security measures are accorded to customer data.
• Align you Data protection practices with best industry standards. E.g. ISO 27001
• Develop a Privacy Statement for your company and explain it to your employees and customers.
• Make sure your partners/ 3rd party providers are compliant as well to avoid falling a victim. To ensure this, review your supplier policies and their data protection practices prior to procuring any service from them. (Carry out due diligence).
• Identify appropriate skill-sets for the DPOs. This calls for capacity building since the DPO roles take into consideration Legal and IT aspects.

 “I encourage you to download the Data Protection Act, 2019 and read”.

“Together, We Work Smart”

#sharewithV

Reference: National KE-CIRT/CC Cybersecurity Fireside Chats. November Edition

“Data Protection and Cybersecurity”.