Data Protection and your Business

The Data Protection Act (“the Act”) was passed into law in 2019. The main objective of the Act is to give effect to the Constitutional right to privacy and regulate the processing of personal data. The Act also established the Office of the Data Protection Commissioner, responsible (ODPC)?the implementation and enforcement of the Act.

The Act will impact businesses that process personal data of subjects located in Kenya. Many businesses are now required to streamline their processes to comply with the Act. Some of these include review of the collection, handling and storage of customer/client or employee data as well as establishment of appropriate policies and training/sensitization of staff. Although not mandatory, many businesses will require a Data Protection Officer (DPO), whose role will be to secure compliance with the Act.

Organizations are now required to develop policies and guidelines on handling of personal data and sensitive personal data. The Act has defined data controllers and data processors who must obtain consent from data subjects as one of the conditions to lawful processing of data. Businesses will have to demonstrate that the consent was freely given, is specific, informed, and unambiguous.

Businesses that are either, data controllers, data processors or both and who meet the criteria in the Act must register with the ODPC. Registration, which commenced on 14th July 2022 is ongoing, following the expiry of a six (6) months grace period to allow businesses comply with the requirements of the Act. The ODPC is currently processing applications online through a public portal: https://dataportal.odpc.go.ke/ .

The cost of non-compliance with the requirements of the Act are high. The general penalties are set at Kenya Shillings Ten Million (KShs. 10,000,000.00) and/or a jail term of ten (10) years. Administrative fines are capped at 1% of the organization’s turnover of the preceding financial year. ?

GVA has the required expertise to assist organizations achieve compliance with the Act. We offer support on issues such as registration with the ODPC; drafting and review of policies and guidelines on data protection and privacy; and staff sensitization and training.

You may reach us for inquiries and consultation on: [email protected]