THE DATA PROTECTION OFFICER: ROLE, RULES, AND PRACTICE IN KENYA

Emerging Trend

One of the emerging trends resulting from the enactment of the Data Protection Act, 2019 (the Act) in Kenya is the designation and hiring of Data Protection Officers (DPOs). Entities are making adjustments in their organizational structures to include this position, and advertisements for these positions have increased in the last couple of months in Kenya.

The designation of a DPO is one of the measures provided for under the Act to promote compliance. It is therefore important that entities consider designating a DPO in a proper and timely manner. The designation is proper where the DPO has the requisite qualifications and resources to carry out the designated duties. The decision to designate a DPO must be made at the earliest opportunity when an entity’s processing activities rely heavily on personal data. The logic behind this is that the more time is taken before a DPO is designated, the more an entity accesses and processes more personal data, and the more complex compliance becomes when the necessary framework is put in place.

Voluntary Designation

The wording of section 24(1) of the Act is indicative that the designation of a DPO is not mandatory by data controllers or processors. A general guide is provided under Section 24(1) (a) to (c) on entities that may designate a DPO.

As a general rule, private and public bodies processing personal data may designate a DPO except for courts acting in their judicial capacity. This puts all entities processing personal data within the ambit of Section 24 of the Act. Any entity whether public or private may consider among other things its size, economic situation i.e. whether it can afford to so designate, the intensity of its processing activities to determine whether or not to designate DPO among other factors. All these factors should be considered in light of the entity’s risk appetite and how this role will manage those risks for the overall benefit of the entity. While the designation of a DPO is voluntary it is always better to err on the safety to reduce the risks of non-compliance.

Section 24 (1) (b) is more specific and provides that entities whether controllers or processors whose core processing activities by their very nature, scope, and purpose require regular and systematic monitoring of data subjects may designate a DPO.

Core activities contribute directly to the realization of an entity’s main business strategy. For instance, if the processing relates to monitoring and analyzing cookies on a website or processing geo-location data to determine preferences and locations of data subjects in order to inform an entity’s expansion decision, then such processing will be considered a core activity. This is opposed to where an online store only processes location data for purposes of making a delivery, the processing here is ancillary to its core business which is retail. ?

Regular and systematic monitoring of data subjects include activities such as the use of CCTV cameras in publicly accessible places, keystroke analysis among other granular processing activities.

A controller or processor processing sensitive personal data may also designate a DPO as per section 24 (1) (c).?Sensitive personal data is defined under Section 2 of the Act to include data revealing race, health status, ethnic social origin, conscience, belief, genetic data, biometric data property details, marital status, family details including names of one’s children, spouse, sex or sexual orientation of the data subject. Sensitive personal data is considered highly volatile in the possession of data controllers and processors due to the kind of insights they can give about a data subject and by extension the harms that could be occasioned on a data subject where the sensitive data is lost or accessed by an unauthorized party. It is therefore imperative that the best care is taken when handling sensitive personal data and having a qualified DPO will go a long way in ensuring the Act is complied with hence reducing risk factors that may be associated with processing sensitive personal data.

Rank and Status of a DPO

Section 24 (2) of the Act is also not couched in mandatory terms but most importantly it leaves room for implications on the status that the DPO may take.

The Act provides that the DPO may be a member of staff of the controller or processor, and they may perform other duties within the entity as long as there is no conflict of interest in the roles. As such, it is possible for controllers and processors to hire from their existing internal staff as long as the people hired have the requisite academic and professional qualifications and, the ability to carry out the statutory duties of a DPO. Where, a controller or processor opts to hire from their existing staff, especially where the office of the DPO did not exist previously, a restructure is mandatory to ensure there is no conflict of interest.?

In the alternative, a controller or processor may create the office of the Data Protection Officer within the entity and call for external applications. In such instances, the hiring controller or processor must ensure that the DPO has the requisite academic and professional qualifications to carry out the statutory duties of a DPO. Section 24 (2) use of the word ‘may’ implies that a DPO does not necessarily have to be a staff member of the controller or processor. In this regard, a DPO may be an employee or an independent external contractor based on offering services of a DPO on a contract for services.

Questions have been posed regarding the status of a DPO that is whether a DPO can be a natural or legal person. From a look at section 24(7), which provides for the services that a DPO will render once designated, it is evident that the said services or duties can be delivered by either a natural or legal person. A firm/ entity or natural person with the requisite academic and professional qualifications can offer DPO services hence.

Independence of the DPO

By their nature, the statutory roles of the DPO may from time to time be seen to be in conflict with the entity’s interests. For instance, the DPO is required to among other duties, notify the Data Commissioner and data subjects affected of personal data breaches. Let to their own devices, most entities would rather deal with data breaches quietly and away from the public gaze. The DPO to successfully carry out the duties under the Act must be given the space and freedom to work independently without attempts of compromise or threats to the security of their jobs.

A contract of or for employment with express provisions on tenure, grounds, and procedure of termination in line with the Employment Act will establish a degree of security and thus independence. The DPO must possess and maintain high standards of integrity in order to avoid being compromised.

When considering designating a DPO it is also important to consider the rank that the DPO will hold in the hierarchy of the organization. Bottlenecks and bureaucracies must be eliminated to ensure that the DPO can carry out their statutory duty effectively and efficiently. The DPO must hold a rank where they report directly to the highest management level such as the risk manager, customer relations manager, etc., relegating the DPO to lower ranks in the organization creates too many friction points in terms of reporting and decision making which will render the office ineffective.

Whether an entity chooses to restructure and redeploy existing staff members, call for external applicants or yet still hire a DPO on the basis of a contract for the provision of services, the consistent theme should be that there should be no conflict of interest whatsoever. Thus c-suite executives, IT/ legal/HR/ Operations managers, providers of other legal, compliance, and IT services should not be considered to offer DPO services due to the obvious conflicts their other roles and services would pose on the statutory duties. When an entity considers procuring services of an existing service provider such as a law firm or cyber security firm to offer data protection services, it is imperative that any instances of conflict of interest be identified and addressed before the provision of such services. Mechanisms such as setting up ethical walls within the firms’ departments providing the different services would be appropriate to effectively deal with the conflict of interests.

Group DPO

A single DPO may serve a group of entities as long as the DPO is accessible to each entity when need be. This provision of Section 24 (3) will aid entities in ensuring uniformity of compliance procedures within the group and also enable them to save on costs of designating a DPO for each separate entity within the group especially when the size and processing activity of each entity is considered against the financial implication.

For accessibility by each entity to be achieved, things like time zones, location, common language, etc.?must be considered when considering whether or not to designate a single DPO. On the basis of the need to have the DPO reporting directly to the top management, it would be prudent to have the single DPO designated at the group headquarters or within the jurisdiction of the group’s headquarters where the DPO is a legal entity. The goal is to have the DPO as close to the seat of power as possible in order to ensure that compliance decisions are made easily for risk management.

For further efficiency and timely oversight, the entities within the group may have data protection departments that report to the overall group DPO.

Qualifications of the DPO

The Act provides that a person may be designated as a DPO if they have relevant academic or professional qualifications which include knowledge and technical skills in matters relating to data protection.

Data protection matters have both legal and technical aspects. The legal aspect relates to issues of statutory compliance while the technical aspect of it deals with the technological infrastructure and designs that facilitate the processing of personal data as well as cyber security tools. None is subordinate to the other, in fact, they complement each other. This diverse expertise is required for a robust and efficient DPO. The question that has now emerged even with the increase in the advertisement for positions of DPO by entities is whether entities should consider hiring a team with this diverse expertise as opposed to an individual as has been commonly seen. In Kenya for instance where data protection is a new concept, the reality is that controllers and processors at the moment are more likely to benefit more from a team with diverse skills. This is because at the moment there are either legal practitioners or IT professionals with expertise in the separate fields. There is yet to be a nationally recognized curriculum that caters to the Kenyan market that merges law and IT to an extent of having the legal and technical skills merged for the provision of data protection services by a single person. In terms of qualifications based on experience, the time since the enactment of the Act is too short hence there is still a shortage of such professionals with a combination of these two skills. An emerging trend that we will be seeing now is the development of curriculums, the publication of more books and articles to cater to this need of DPOs with both legal and technical skills.

Statutory Duties of a DPO

An entity looking to designate a DPO may use Section 24(7) as a guide when curating the DPOs job description. The DPO will therefore be responsible for:

a)????Advising the controller or processor and their employees on data processing requirements under the Act or any other written law. This includes advice on ensuring that processing is done in accordance with data protection principles, the rights and freedoms of data subjects are upheld during processing among other factors;

b)???Ensuring on behalf of the controller or processor that the provisions on the Act are complied with. This includes ensuring that processing is done in line with data protection principles, the rights and freedoms of data subjects are upheld, the necessary reports are made to the Data Commissioner in the event of a breach, Data Protection Impact Assessments are done where the nature, scope, and purpose of processing call for, etc.;

c)????Facilitating capacity building of staff in data processing operations. Data protection compliance should not be treated as a mere check on a box, there is a need to cultivate a culture that values the protection of personal data. This can be achieved by ensuring that every person that deals with personal data in an entity is adequately trained on how to protect such data. The DPO will thus curate data protection training manuals and courses that are relevant to the different ranks and departments of an entity;

d)???Providing advice on data protection impact assessments (DPIA). Section 31 of the Act provides for instances where ?DPIAs must be conducted, what a DPIA must include, and the procedure of conducting one among other factors, the DPO will be responsible for ?advising and providing guidance to the controller or processor where a DPIA report is being made;

e)????Cooperating with the Data Commissioner and other authorities on matters relating to data protection. The DPO will be the contact person of a controller or processor, thus the DPO will receive inquiries, complaints and respond to the same from either the Data Commissioner or the public. The DPO will also be responsible for communicating and reporting any incidences to the public or Data Commissioner where the situation calls for. ?

Resources Required by the DPO

For effective and efficient dispensation of the duties of the DPO, the DPO must be given the requisite access within an entity and resources to carry out its duties.

The DPO should therefore be given access to personal data and processing activities within all departments involved in data processing activities in the entity. The DPO must be guided by the principles of confidentiality considering the high level of access enjoyed. Further, the DPO should be provided with a suitable workspace, IT and financial resources, specialist literature, support staff, and sufficient time to execute the duties assigned.

Conclusion

Kenya has made significant strides toward enforcement of data protection law since the enactment of the Data Protection Act in 2019. Since then, the office of the Data Commissioner has been set up, recruitment of officers is currently underway, and regulations to enable enforcement of the provisions of the Act have also been gazetted, these are amidst the uptake of sensitization of the public on data protection by different stakeholder. Hence data protection law is alive and gaining ground in Kenya.

Institutions both within and outside the jurisdiction are also offering data protection courses that many Kenyan professionals are taking up in order to offer the much-needed DPO services. There is therefore growth being seen within the sector and yet more growth is expected in the future.

?