By Victor Orandi
On 25th November 2019, the Data Protection Act 2019 came into force in Kenya (DPA). The DPA establishes the Office of the Data Protection Commissioner, to be held by a Data Commissioner who the President will appoint.
On 12th November 2020, the President appointed Ms Immaculate Kassait as Data Commissioner to the Data Protection Commissioner’ (the “ODPC”).
The Data Commissioner’s role, among other functions, is to exercise an oversight role on data processing, establish and maintain a register of data controllers and processors (entities), an inspection of entities, receive and investigate complaints against entities and overseeing the implementation and enforcement of the provisions of the DPA.
The ODPC has experienced significant developments towards its operationalisation, as discussed below:
1. The ODPC has launched its official website- www.odpc.go.ke. Through this website, any person or organisation will be able to report a data breach, file a complaint or report a concern.
- An individual or entity in breach of data protection laws may be liable to a penalty of Ksh. 5,000,000 or in the case of an undertaking, not more than 1% of its annual turnover of the preceding financial year, whichever is lower.
2. The Cabinet Secretary, Ministry of ICT, Innovation and Youth Affairs, gazetted the Taskforce on Development of Data Protection (General) Regulations in January 2021. Terms of reference of the Taskforce are to:
- propose any new policy, legal and institutional framework that may be required to implement the Data Protection Act, 2019;
- sensitise stakeholders and the public on the Data Protection (General) Regulations;
- undertake stakeholder and public consultation on the Data Protection, General, Regulations; and
- Undertake any other activities required for the effective discharge of its mandate.
3. The ODPC has developed guidelines that are awaiting public participation. These are;
- Registration of Data Controllers and Processors;
- Seeking Consent from Data Subjects;
- Certification of Data Controllers and processors;
- Data Impact Assessment;
- Appointment of Data Protection Officers; and
- Data Sharing Code & Enforcement
What should companies do?
- Data Protection Officer
Appoint a data officer with expert knowledge on the company’s IT infrastructure, technical and organisational structure.
The officer can either be an employee of the company or an independent contractor who shall advise the company on processing data’s legal requirements.
The appointment of a data officer shall assist the company in complying with the DPA provisions.
- Data Protection Statements
Review and creation of the company’s data protection statement. The statement shall provide information about how the company collects, stores and uses personal data relating to individuals (data subjects).
This data protection statement relates to personal data received by the company where data subjects contact, request information from, or provides information to the company for purposes relating to the data protection to the organisation directly, and also personal data received by the company indirectly.
A comprehensively drafted data protection statement will assist a company in complying with data protection principles, including adhering to a data subject’s rights.
A company can employ legal expertise in data protection laws to create or review its data protection statement.
- Data Protection Impact Assessment (DPIA)
Conduct an internal DPIA to identify risks arising out of personal data processing to minimise these risks as far and as early as possible.
DPIAs will help a company deal with internal and proactively issues instead of risking complaints, external investigations, and/or penalties.
- Legal advice
Seek comprehensive legal advice on the applicability of the Data Protection laws on the company and effective measures to ensure compliance with the necessary legal provisions.