The Data Protection Act, 2019 came into effect from 14 July 2022. There are other subsidiary regulations that were published in Kenya Gazette Supplement on 31 December 2021 are the (1) The data protection (general) regulations, 2021, (2) The data protection (complaints and enforcement procedures) regulations, 2021 and (3) The data protection (registration of data controllers and data processors) regulations, 2021. This data privacy laws provide a framework of processing personal data and provide rights of data subjects and obligations of data controllers and processors. The objective of the privacy laws is to regulate the processing of personal data, ensure that the processing is guided by certain principles, to protect the privacy of individuals; to establish a legal and institutional mechanism to protect personal data; and to provide subjects with rights and remedies to protect their personal data. They therefore provide a guideline to data controllers and processors on how to handle the data that they collect, process and store.
Data controllers and processors are entities processing personal data for activities including health administration, financial services, telecommunication services and transport services amongst others. These entities that collect, record, organize, classify, store, modify, amend, retrieve, broadcast or do any form of manipulation of personal data are hence required to comply to this Act. Personal data is any data that can identify a living person. This includes the name, the identification number, digital identifier, any information that could cause harm if leaked or misused.
These entities collect, maintain personal data for their clients as they manage their business activities. They are now required to ensure that there is data security over personal data. They should ensure that there is no unauthorized access to data and that the data that they maintain is accurate based on the client information obtained. Any inaccurate data should be erased or rectified. This therefore means that any data collected should be updated to ensure that it is accurate at all times. The Act provides rights to owners of data to have access to such data maintained by these entities; they should be informed of the use of the data being collected and are able to correct any misleading data as well as deleting any false or misleading data.
ADVERTISEMENT
The data collected by organizations have in the past exposed their customers to fraud. In a reported case of sim swap fraud, the fraudsters pose as bank staff members they ask customers for account number, PIN numbers as well as their transaction details. These phone calls are mimicked to look like real bank employees calling to make inquiries. On obtaining this information they are able gain access to the bank accounts using their mobile banking platforms. These cases breach regulatory requirements under the Data Protection Act. In May 2022, it was reported that a top Police Officer was defrauded Kshs 597,100. The funds were transferred from his bank account to his mobile phone and then to a mobile number unknown him. In this case the fraudsters had access to the bank account and to the mobile phone number as well as his mobile banking platform. Entities should ensure that they are accountable by ensuring that they have appropriate measures to ensure data security as well as demonstrate compliance. Data security is important to guarantee the customer of their own security and that of the data and resources. Entities that fail to protect personal data and comply with data privacy regulations aren’t just risking financial penalties. They also risk operational inefficiencies, intervention by regulators and most importantly permanent loss of consumer trust.
Entities should ensure that they are processing data lawfully and fairly. One of the requirements is that there should be consent from the individual to process their personal data. The Office of the Data Protection Commissioner (ODPC) directed Oppo Kenya to review its data handling practices after a complaint was filed by one of its data subjects. The complaint was that Oppo Kenya had used the data subject’s photo on its social media platforms without consent contrary to the Act. Oppo Kenya was fined and penalized Kshs5million for failing to comply with the Act and its regulations. The Act provides that sensitive data can only be processed with individual express consent unless such date is required for filing legal proceeding or claims or it there is any legal, public interest or regulatory requirement. Entities should therefore ensure that they have adequate policies, procedures and controls to ensure protection of data privacy.
Data Privacy Laws
The data privacy laws empower individuals and give them control over their personal data. The data subjects have rights to access their personal data upon request; they have rights to limit personal data processing; the right to object to use of their data; the right to correct personal data as well as the right to transfer personal data. Entities that process this data should therefore develop clear policies and procedures to comply to the data privacy laws; ensure that they have adequate data retention mechanisms in place as well as minimizing operational lapses in capturing information at source, getting it right the first time. Entities should also ensure that they can reassess the data that they maintain and ascertain whether it still lawful to maintain such data and whether there are any changes required. More importantly organizations should embark on training their staff members on the data privacy laws to ensure they minimize non-compliance risks. Entities that fail to protect personal data will risk regulatory breaches that will led to financial loss and ultimately reputation amongst other risks.
READ; Data Protection Commission Probes 40 Digital Credit Providers Over Breach of Privacy
Caroline Gathii is an International Certified Risk Expert with FirstIdea Consulting Limited.
Email: cgathii@firstideaconsulting.co.ke
