Many organizations in Kenya are yet to start implementing the Data Protection Act (DPA) of 2019. PwC Kenya’s Head of Legal & Regulatory, Compliance Advisory, Mr Joseph Githaiga, says that most of them are still in the phase of getting an understanding of the DPA and assessing the implications for their operations. Others have already embarked on the process of developing systems to enable them to comply.
He says that many local organizations that are encountering data protection laws for the first time “do not have adequate financial, HR and technical resources to implement effective data protection compliance frameworks.”
Githaiga who made his remarks as the world commemorated the Data Protection Day however says the newly created Office of the Data Protection Commissioner (ODPC) and the appointment of Ms Immaculate Kassait as Kenya’s first Data Protection Commissioner, has given a strong impetus to the implementation of these laws. The ODPC has been actively raising awareness of the Kenyan Data Protection Act (“DPA”) and associated Regulations through the media and engagement with various industry sector bodies.
He noted that the financial services and the telecommunications sectors have demonstrated a higher degree of awareness and compliance than many others. This is expected to scale up across all sectors as more organizations adopt good data privacy practices.
According to data from a study conducted by Infotrak Research Consulting Limited in May 2021, 70 percent of Kenyans are still not aware of their rights under the DPA and how to go about exercising them.
The act provides citizens with the right to be informed of the use to which their personal data is to be put, the right to access their personal data, the right to object to the processing of your personal data, the right to correction or deletion of misleading or false data and the right to withdraw consent at any time.
Mr Githaiga says a key area of concern is that many organizations operating in Kenya with large data collection and processing operations are foreign-owned entities.
“This presents a significant amount of risk of personal data of Kenyans being processed in foreign jurisdictions due to cross border transfers of data,” he explains.
The ODPC, being a new regulator, is still in the process of developing its capacity to effectively implement the DPA. Given its broad mandate, which includes public awareness, investigations, and enforcement, it must be allocated a sufficient budget to invest in the right personnel, technology, and expertise to execute this mandate.
To increase their level of compliance, PwC advises institutions and organizations to appoint a Data Protection Officer (DPO) to guide compliance with the DPA and also act as a contact point for customers and the ODPC concerning data privacy matters. Additionally, they should conduct employee data protection and privacy training and awareness to key stakeholders regularly.
Further, institutions that collect personal data need to develop privacy notices to inform customers and the wider public of their rights under the DPA and how the institution handles personal data. They also need to conduct data protection gap assessments to identify potential privacy risks and take measures to remediate any weaknesses identified.
To deal with data privacy breaches, Mr Githaiga advises institutions to put in place robust breach incident management processes that allow rapid identification and mitigation. This may involve notifying affected customers of the breach and guiding them on steps they can take to reduce risk.