How the Data Protection Act Will Impact Your Business
The Data Protection Act (“DPA”) became law on 25th November 2019. However, over fourteen months later, very few businesses have complied with the requirements of the Act. In fact, it is safe to say that the majority of them are yet to understand the law and the ensuing compliance obligations.
What Is the Data Protection Act?
The DPA is a law that aims to regulate the processing of personal data in Kenya. Personal data refers to any information that can be used to identify an individual. For example, his name, ID or passport details, physical or postal address, physical appearance (e.g. height, weight, colour of eyes, hairstyle), economic details (e.g. income or salary), or his cultural or social identity. Personal data also covers things such as a person’s online identifiers e.g. his IP address, emails, usernames, passwords, etc.
What does the processing of personal data mean? Processing refers to any activity you do to personal data including collection, use, storage, sharing, and transfer to third parties.
Who Does the Act Apply To?
However, the Act does not apply to individuals handling personal data for household or personal activities. So, if you collect your friend’s telephone numbers to organise a surprise birthday party or a bridal shower, you may not need to comply with the Act.
How Does the DPA Impact Business?
In this section, we consider a few of the ways in which the Act is set to impact businesses handling personal data in Kenya.
1. Increased Compliance Obligations
The Act establishes the office of the Data Commissioner. In essence, the Data Commissioner is the regulator responsible for enforcement of the Act. Although the Act was enforced in 2019, the Regulator’s appointment was only finalised in November 2020. This explains the sluggish activity we have seen on the implementation of the Act. Following her appointment, the Data Commissioner has wasted no time in establishing the office and meeting key stakeholders and so we expect enforcement to take off within this year.
Compliance with the Act requires an understanding of the Act. The short video below explains some of the key terms (e.g. personal data, data controller, data processor, processing, data subject) you will encounter in the Act.
In summary, the Act requires data controllers and processors to:-
- Register with the Data Commissioner
- Respect invididual privacy
- Handle personal data in accordance with data collection principles set out in the Act
- Respect the rights of personal data owners (also known as data subjects)
- Report any personal data breaches to the Data Commissioner within timelines set out in the Act.
If you fail to comply, you face stiff penalties i.e. 1% of your annual turnover or Kes. 5 Million, whichever is lower as well as criminal sanctions. In addition, data subjects also have a right to seek compensation from you for breach or loss of their personal data.
2. Marketing and Promotions
If you promote or market your business or venture directly to individuals whether by phone, SMS, or email you will need to ensure that your marketing practices adhere to the requirements of the Act. For one, you have to be transparent with your customers. You cannot simply collect your customers’ contacts and send them promotional messages unless they know about it and have expressly given consent. In practical terms, this means that you must give the customer an opportunity to “Opt-In” to receiving your promotional messages. Even after a customer has opted-in to your service, they have the right to withdraw consent i.e. to “Opt-Out” of your service at any time. As a business, you must provide an avenue for them to Opt-in and Opt-out at any time. Failing to do so is a breach of the Act and could expose you to penalties.
3. Third-Party Contracts
If as a Data Controller you retain the services of a Data Processor to help in managing your data, you need to ensure that you have complementary compliance obligations. For example, if you work with a payroll processing company or you use cloud-based services to process your data, your contracts should clearly outline how data is managed and process for reporting breaches. If there is a mismatch of obligations you might be exposed through the acts or omissions of your processor.
4. Enhanced Data Security Requirements
The Act mandates data controllers and processors to adopt adequate security measures to secure personal data. Some of the measures prescribed in the Act include encryption, anonymisation and pseudonymisation of data. Apart from these examples, there several other strategies that businesses can adopt to ensure security. For instance, you can take steps to secure your networks and devices, install malware and anti-virus protection, use firewalls, etc. In addition to online safety, you should adapt measures that assure the safety of any data that is maintained in hard copy formats.
5. Incident Management
If a data personal data breach occurs in your organisation, you have the obligation to report the breach to the Data Commissioner. The Act imposes strict reporting timelines on both the Data Controller and the Data Processor. If a personal data breach is likely to pose a real risk or threat to the data subject, the data controller must report to the Data Commissioner within seventy-two (72) hours of becoming aware of the breach. Similarly, a data processor must report a breach within forty-eight (48) hours of awareness. This means that data controllers and processors must have adopted seamless incident management processes to ensure compliance.
6. The Privacy Mindset
Among the key obligations imposed on data controllers and processors is the requirement to conduct data privacy impact assessments and to adopt data protection by design and by default in all business operations. What this means is that all personal data processing activities should be designed to secure an individual’s privacy. Data privacy should not be an after-thought. Instead, should be embedded into every product and process before it is rolled out for use. The same standard applies even to existing products.
In other words, your organisation should adopt a data privacy mindset. Ask yourself, how can I deliver this to my data subjects without violating their privacy?
7. Exercise of Data Subject Rights
The Act grants data subjects a wide array of rights over any personal data held by data controllers or processors. In brief, a data subject has rights to:
- erasure/right to be forgotten
- withdraw consent
- object to automated processing
- data portability
A direct consequence of the grant of rights is that the data subject has the power to exercise the rights. Therefore, a data subject can approach you and make a request on their data pursuant to the above rights. You should not only have an orderly process for dealing with the requests, but also a way to demonstrate compliance.
As a business, you cannot afford to be complacent with data protection. Apart from the potential financial penalties and criminal sanctions, non-compliance can expose you to reputational risks and diminish customer or investor confidence in your business.
Some of the things you can do to comply with the DPA include:-
- Map all personal data in the organisation. This helps to ascertain the types of personal data you hold, sources of the data, and your processing activities.
- Develop appropriate policies and processes for compliance.
- Designate a data protection officer i.e. an employee within your organisation charged with the responsibility of data privacy.
- Start inculcating the privacy culture in your organisation by training staff on your data privacy expectations.
- Link with the Data Commissioner’s office to stay abreast with the latest regulations and expectations from a compliance perspective.