By Victor Orandi

The Data Protection Act, enforced by the Office of the Data Protection Commissioner (ODPC), has been instrumental in regulating personal data collection, processing, and storage by private firms, government agencies, and county governments.

Since enacting the Data Protection Regulations in February 2022, the ODPC has been vigilant in addressing privacy breaches. Private firms, government agencies, and county government departments must adhere to these regulations. Data Protection Officer Yusuf Momanyi said that the ODPC received over 2,000 complaints within the first few months of the regulations’ effect.

In the event of an infringement, the Data Commissioner can impose penalties of up to Sh5 million or one percent of the organisation’s annual turnover from the preceding financial year, whichever is lower. Recently, the ODPC imposed a KSh 5 million fine on Oppo Kenya for privacy infringement. Oppo Kenya used the photo of an unnamed complainant on its Instagram page without obtaining proper consent.

Any data controller or processor using personal data for commercial purposes without the data subject’s consent is also deemed to commit an offence. The consequences for such actions are severe, with potential jail terms of up to six months or fines reaching Sh5 million.

In Conclusion
Kenya’s Data Protection Act signifies a significant stride towards safeguarding individuals; privacy in an era dominated by data-driven activities. As organisations continue to navigate the data protection landscape, prioritising compliance, employee awareness, and responsible data handling practices are essential for fostering a trustworthy digital environment. Employees play a pivotal role in data protection, being the primary custodians of data within an organisation. They are also at the highest risk of inadvertently breaching privacy. It is imperative to create awareness among employees about the legal requirements related to data privacy. Educating them on the importance of obtaining consent and handling data responsibly contributes to a culture of privacy within the organisation.