What does the Data Protection Act mean for your business?

This article concludes a three-part series on data protection. Click here to read part 1, and here for part 2. Click here to read a mid-week special on contact tracing apps.

Prior to the enactment of the Data Protection Act of Kenya (“the Act“), organizations and businesses possessed more power in the collection and use of personal data. However, this is not the case as the data protection regulations place the consumer in the driver’s seat, and the burden of compliance falls upon organizations and businesses. The Act forces firms to restructure their policies by setting out obligations that must be adhered to, where the processing of personal data is concerned. Companies should take note of the areas highlighted below.

Registration

For Data controllers and data processors to operate, they must register with the Data Commissioner. Businesses that collect and process employees’ and customers’ data through job applications, employee profiles, CCTV surveillance, or biometrics may be deemed, data controllers or data processors. Particulars for registration include, among other things, description of the personal data to be processed, and the purpose of processing. Once a data controller/processor completes registration, the Data Commissioner issues them a certificate (which is subject to renewal).

Businesses that collect and process employees’ and customers’ data through job applications, employee profiles, CCTV surveillance, or biometrics may be deemed, data controllers or data processors

Stephanie

The Act makes it an offence for data controllers and data processors to contravene registration provisions. Upon conviction, the liability borne is a fine not exceeding three (3) million shillings or imprisonment for a term not exceeding ten (10) years, or both.

Adequate Safeguards

Companies must share with the Data Commissioner a general description of the risks, safeguards, security measures, and mechanisms to ensure personal data protection for registration purposes. The Act goes on to provide that data controllers and processors must undertake appropriate technical and organizational measures. These measures are designed to integrate necessary safeguards for purposes of data processing. 

For example, The Information Commissioner’s Office (ICO) fined Sony Computer Entertainment Europe 250 000 pounds for a breach of its PlayStation Network, which housed personal data shared by gamers such as credit card information. ICO reported that the security measures Sony had put in place were simply not enough. Equally, the Kenyan Act provides for penalties that include criminal sanctions and administrative fines. For example, a business that contravenes any provision of the Act where no penalty is provided, is liable to a KES 3,000,000 fine or ten-year imprisonment.

The Kenyan Act provides for penalties that include criminal sanctions and administrative fines

Stephanie

Breach Notification Obligations.

Data controllers and processors must put in place appropriate and adequate safeguards to avoid such hefty fines. However, where a breach occurs, the Data Commissioner must be notified within seventy-two (72) hours as per the Act’s provisions. Equally, the data subject must be notified of the breach in writing.

Data Protection Officer (“DPO”)

As set out in the Act, data controllers and processors may appoint or designate a qualified Data Protection Officer. The DPO may be a staff member of the business and may fulfill other tasks and duties so long as no conflict of interest arises. Different entities may appoint one Data Protection Officer provided that the officer is accessible by each entity. The Act provides that contact details of the DPO be communicated to the Data Commissioner and published on the business’s official website.

Data Transfer

Consent must be obtained from the data subject where the processing of sensitive personal data is conducted out of Kenya. Equally, certain conditions must be met for personal data to be transferred outside of Kenya. The Act provides that appropriate and adequate security safeguards must be demonstrated before a transfer is effected. To protect the fundamental rights and freedoms of data subjects, the Data Commissioner may prohibit, suspend, or set conditions for personal data transfer.

Conclusion

Data subjects have been disadvantaged as organizations mined, stored, and used personal data without due regard. The enactment of the Act changes the playing field between consumers and businesses. It would be wise for companies to restructure their internal policies in compliance with the data protection regulations to avoid facing any penalties.