By Victor Orandi
On 25th November 2019, the Data Protection Act 2019 came into force in Kenya (DPA). The DPA applies in all sectors where personal data is being collected such as in digital marketing, fintech companies, insurance, financial services, and media by either individual or entities. It also imposes penalties for non-compliance of both civil and criminal nature.
The DPA establishes the Office of the Data Protection Commissioner, to be held by a Data Commissioner who will be appointed by the President and approved by the National Assembly. The Data Commissioner’s role, among other functions, is to exercise an oversight role on data processing, establish and maintain a register of data controllers and processors (entities), inspection of entities, receive and investigate complaints against entities and overseeing the implementation and enforcement of the provisions of the DPA.
On 13th October 2020, the President nominated Ms. Immaculate Kassait, for appointment to the position of Commissioner. On 5th November 2020, the National Assembly (Assembly) approved her nomination as the Data Commissioner. The President shall proceed to confirm her appointment for a single term of six (6) years.
We expect the Office of the Commissioner to establish the necessary procedures for the registration of data processors and data controllers even as the office seeks to provide and implement guidelines and regulations relevant in actualizing its operations under the DPA.
The Data Commissioner is mandated to request a person or entity that transfers data to a foreign country to demonstrate the effectiveness of the security safeguards exercised by such party. The processing of sensitive personal data out of Kenya can only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards.
The Data Commissioner may issue a penalty notice to a person who has failed or is failing to comply with the requirements of the DPA requiring the person to pay to the office of the data commissioner a penalty of not more than Ksh. 5,000,000 or in the case of an undertaking, not more than 1% of its annual turnover of the preceding financial year, whichever is lower. The general penalty for offences under the DPA is a fine not more than Ksh. 3,000,000 or to an imprisonment term of not more than 10 years.
In preparations for the DPA to be operationalized, by the appointment of the data commissioner, entities that regularly and systematically monitor and process information on data subjects shall require to appoint a data protection officer, who shall primarily advice the entity and their employees on data processing requirements as provided under the DPA and cooperate with the data commissioner and any other authority on matters relating to data protection.