By Victor Orandi

The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 specifies the procedure used by the ODPC to register the relevant individuals and companies as data controllers and data Processors in accordance with the DPA. The provisions of these Regulations will take effect from July 2022. 

• Who shall require to register?

The following categories of individuals/companies are eligible to register with the ODPC;

1. An individual/company who decides on the purpose and method of processing personal data. (Data Controller); and
2. A person who processes personal data on behalf of the Data Controller (Data Processor) (excluding the employees of the Data Controller) provided that the Data Processor has been contracted by the Data Controller and has no decision-making authority over how and why personal data is processed. 

However, a Data Controller may apply for registration as both a data controller and a data processor in respect to any processing operations.

In the event a Data Processor processes personal data in excess of the instructions issued by the Data Controller, the Data Processor shall be considered to be a Data Controller in respect of that processing activity, for purposes of quantifying liability.

• Exemptions from registrations

A Data Controller or a Data Processor with an annual turnover of below Ksh. 5,000,000 or annual revenue of below Ksh. 5,000,000 and has less than 10 employees are exempt from mandatory registration.

Annual turnover, in this case, means the preceding year’s annual budget of non-profit making organizations such as charitable and religious institutions, multi-lateral agencies or civil society organizations while annual revenue means the total income of profit-making organizations for the year immediately preceding the year of registration.

However, the exempted organization shall have to comply with the principles and obligations of protection of personal data and requirements to transfer data outside Kenya.

• Mandatory Registration

A Data Controller or Data Processor processing personal data for the following purposes shall be subjected to mandatory registration (regardless of annual turnover/revenue and number of employees);

1. Canvassing political support among the electorate.
2. Crime prevention and prosecution of offenders (including operating security CCTV systems).
3. Gaming and betting operators. 
4. Provision of education.
5. Health care services 
6. Hospitality industry firms but excludes tour guides. 
7. Property management including the selling of land. 
8. Provision of financial services. 
9. Telecommunications network or service providers. 
10. Businesses that are wholly or mainly in direct marketing. 
11. Transport services firms (including online passenger hailing applications) 
12. Businesses that process genetic data.

• Duration of the certificate of registration

Once the applicant meets the required threshold, the Data Commissioner must provide a certificate of registration valid for twenty-four (24) months from the date of issuance within fourteen (14) days of application.

A registered Data Controller or Data Processor may apply for a renewal of the certificate after expiry of the certificate. 

On the ODPC’s official website, the general public and any stakeholder will be able to view a list of registered Data Controllers or Data Processors. The list must be updated and published once every thirty (30) days by ODPC.

A Data Controller or Data Processor who fails to register or renew the certificate of registration and continues to process personal data risks a fine of up to Kenya Shillings three million (Ksh. 3,000,000) and/or imprisonment for a term of up to ten (10) years.

• What are the initial steps a company (Data Controller or Data Processor) can take before July 2022?

1. Create a Data Protection Plan.

• A Data Protection Plan (DPP) is a document that describes the type of protection expected and the rules for processing and presenting personal data.
• A robust DPP will help ensure data within the company is adequately defined, labelled, and controlled for registration purposes.
• The DPP shall describe the following elements

                       a) Identification of personal data – In order to categorize the data subjects appropriately, the company must first identify what data is personal as stored in its records. This will enable the company to properly describe the personal data that will be processed as well as the purpose of such processing. 

                      b)Security measures to systems that store or transport the personal data – Now that personal data has been identified, the company must deploy safeguards to protect the data while in transit and at rest.

                     c) Breach detection – Once the company has performed the above actions described in (a) & (b), it should perform a scenario-based risk assessment to manage data exfiltration and misuse.

02. Conduct an internal Data Protection Impact Assessment and implement appropriate safeguards with respect to the security and protection of personal data.

• A Data Protection Impact Assessment (DPIA) is a procedure that identifies and mitigates risks associated with personal data processing as far and as early as practical.
• The registration process requires a company to identify risks such as unauthorized access and theft and describe the safeguards, security measures and mechanisms implemented to protect personal data.
• DPIAs are an important tool for company decision-makers since they allow them to mitigate risks as early as feasible.
• During the registration process, a company must state the risks connected with personal data as well as the safeguards implemented to protect the data.

03. Appoint a Data Protection Officer. 

• A data protection officer may be a lawyer or a staff member with knowledge and technical skills in matters relating to data protection.
• The Data Protection Officer’s role shall be;

                   – To advise the company and its employees on the legal requirements for data processing.

                   – To Ensure, on behalf of the company, that the data protection laws are complied with.

                   – To assist in capacity building of the employees involved in the company’s data processing activities.

                   – To advise the company on data protection impact assessment.

                   – To engage with the Data Commissioner or any other relevant authority on any matter relating to data protection.

04. Revise third party contracts.

Revise third-party and other relevant contracts to ensure uniform methods for data management and protection. This emphasizes the parties’ processing responsibilities and registration requirements.

05. Formulate or revise the data protection policy.

• The policy will describe the company’s data processing operations in order to ensure compliance with Data Protection laws and regulations.
• The policy aids the protection and security of any personal data acquired, used, managed, and stored by the company.
• The Policy will apply whether the processing takes place within one office, between different offices in the same or more than one country, or whether personal data is transferred to third parties.
• The company should employ legal expertise to create or review its data protection policy.

06. Seek specific legal advice on the applicability of the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 to your company and effective measures to ensure compliance with the necessary legal provisions.

You can reach out to us through victor@mmagareadvocates.com or matthew@mmagareadvocates.com for further advice on the above requirements and compliance with the Data Protection laws.