QA; The State of Data Protection Laws in Kenya

To mark the Data Privacy Day on 28th January 2022, we sat down with Mr Joseph Githaiga, Head of Legal & Regulatory, Compliance Advisory, PwC Kenya to talk about the state of data protection laws in Kenya and the country’s Data Protection Act (the “DPA”) that came into force on 25 November 2019.

The DPA gives effect to the provisions of Article 31 of Kenya’s Constitution which provide for the fundamental right to privacy. The DPA is largely modelled on European Union’s GDPR.

Kenyan Wallstreet; Is Kenya able to measure and demonstrate compliance with global data privacy regulations?

Data protection laws in Kenya are still a very recent phenomenon and there is still a significant lack of awareness by organizations and by the public regarding the requirements of these laws. It is therefore too early to get an accurate measure of the extent of compliance with these laws within Kenya.

That said, the operationalization of the Office of the Data Protection Commissioner (“ODPC”) and the appointment of Ms Immaculate Kassait as Kenya’s first Data Protection Commissioner, has given strong impetus to the implementation of these laws. The ODPC has been actively raising awareness of the Kenyan Data Protection Act (“DPA”) and associated Regulations through the media and engagement with various industry sector bodies. As a consequence, some sectors such as financial services and telecommunications services are able to demonstrate a higher degree of awareness and compliance than many others. It is expected that with time there will be a wide-spread adoption of good data privacy practices across all sectors.

Kenyan Wallstreet; What are some of the major challenges facing Kenya when it comes to data protection act and compliance?

The DPA is a complex law, and many organizations are yet to fully comprehend the extent to which it impacts their operations and imposes obligations on them in their handling of personal data.

Additionally, majority of Kenyans are unaware of their rights under the DPA and how to go about exercising them. According to a research survey released by Infotrak Research Consulting Limited in May 2021, 70% of Kenyans remain unaware of the DPA. Another challenge is that many organizations in Kenya are encountering data protection laws for the first time and they may, therefore, not have adequate financial, HR and technical resources to implement effective data protection compliance frameworks.

Many organizations operating in Kenya with large data collection and processing operations are foreign owned entities. This presents a significant amount of risk of personal data of Kenyans being processed in foreign jurisdictions due to cross border transfers of data.

The ODPC, being a new regulator, is still in the process of developing its capacity to effectively implement the DPA. Given its broad mandate, which includes public awareness, investigations, and enforcement, it must be allocated a sufficient budget to invest in the right personnel, technology, and expertise to execute this mandate.

Kenyan Wallstreet; Recently, we’ve seen customers who use banks/financial institutions complaining/accusing their banks of data breach and privacy intrusion into their personal data, how can banks/financial institutions/ Telcos ensure this does not keep occurring?

The financial services and telecommunications sectors have been at the forefront of engaging the ODPC in understanding the requirements of the DPA. They have also been active in implementing data protection compliance frameworks within their organizations.

Some of the key recommendations on how these institutions can ensure integrity and accountability for the data they hold of their customers;

1. •Appoint a Data Protection Officer (DPO) for the bank to guide compliance with the DPA and also act as contact point for customers and the ODPC with respect to data privacy matters.
2. •Conduct employee data protection and privacy trainings and awareness to key stakeholders on a regular basis.
3. •Develop privacy notices to inform customers and the wider public of their rights under the DPA and how the institution handles personal data.
4. •Conduct data protection gap assessments to identify potential privacy risks and take measures to remediate any weaknesses identified.
5. •Put in place robust breach incident management processes that allow rapid identification and mitigation of data privacy breaches. This may involve notifying affected customers of the breach and guiding them on steps they can take to reduce risk.

Kenyan Wallstreet; Are Kenyan organizations adhering to the stipulated Kenya’s Data Protection Act law that was entered into force in 2019?

Many organizations are still in the phase of getting an understanding of the DPA and assessing the implications for their operations. Others have embarked on the process of developing systems to enable them to comply.

Kenyan Wallstreet; In your own opinion, has the Kenya Data Privacy Protection Act made significant strides towards ensuring data protection acts are being adhered to?

The ODPC has been sensitizing Kenyans as well as organizations on the DPA. The ODPC’s office has carried out a series of data privacy trainings and awareness webinars which have been advertised through the official social media portals of the ODPC such as Twitter, Facebook, LinkedIn and the ODPC’s website.

The ODPC’s office has also partnered with key stakeholders and market players in the banking industry, insurance firms, telecommunication, and mobile network firms as well as several government agencies.

We believe the DPA is still at its formative stage of implementation and there has been good progress in its uptake which is still on going.

Kenyan Wallstreet; What are some of the key data rights that Kenyans – Individuals and institutions need to be aware of?

The key data subject rights to be aware of are;

1. •The right to be informed of the use to which your personal data is to be put;
2. •The right to access your personal data;
3. •The right to object to the processing of your personal data;
4. •The right to correction or deletion of misleading or false data; and
5. •The right to withdraw consent at any time.

Kenyan Wallstreet; Where personal data has been accessed or acquired by an unauthorized person/organization what’s the right procedure of handling such cases?

Where personal data has been accessed by an unauthorized person, and there is real risk of harm to the individual whose data has been accessed, the DPA provides that the Data Commissioner must be notified within 72 hours of the breach incident occurring. In addition, impacted individuals should be notified within a reasonably practical period. The DPA further prescribes the sort of information that should be communicated regarding the breach. The notification to the ODPC can be done through their website, which provides a link for breach reporting.

Kenyan Wallstreet; Passed in 2019, the Kenya Personal Data Protection Act was designed to bring the protection of personal data from misuse in Kenya into the 21st century, Will this affect researchers?

The processing of personal data for research purposes is generally exempt from the provisions of the DPA. However certain conditions must be met for the exemption to apply, such as (i) the personal data must be safeguarded against use for purposes other than research; and (ii) the results of the research must be anonymized so that the identity of the data subjects is not disclosed. The DPA empowers the ODPC to provide further guidelines on the use of personal data for research purposes.

Kenyan Wallstreet; What are some of the individual rights under the Kenya Constitution and the Data Protection Act, 2019 in relation to aspects of privacy and data protection?

The Kenyan Constitution establishes the right to privacy as a fundamental right and freedom bestowed on Kenyan Citizens, the right to privacy includes the right not to have information relating to your family or private affairs unnecessarily required or revealed, and the right not to have the privacy of your communication infringed.

The key data subject rights under the DPA to be aware of are;

1. •The right to be informed of the use to which your personal data is to be put;
2. •The right to access your personal data;
3. •The right to object to the processing of your personal data;
4. •The right to correction or deletion of misleading or false data; and
5. •The right to withdraw consent at any time.

Kenyan Wallstreet; Many Kenyans have been victims of data brokers and marketing agents who share unsolicited text messages marketing some goods or services. How can Kenyans protect themselves from such data scrappers who access their data without consent? (The data brokerage industry is currently unregulated.)

Processing of personal data for directing marketing without the consent of the individuals concerned is prohibited under the DPA. Data brokers and marketing agents should first obtain express consent of the data subjects prior to sending text messages. Kenyans should report such breaches and violation of their privacy to the ODPC via its website as follows https://www.odpc.go.ke/file-a-complaint

Kenyan Wallstreet; Are we in the right direction as country, in your expert opinion what’s the way forward?

The DPA is a recent law and it will be a while before there is wide-spread adoption of appropriate data privacy practices. In the meantime, a lot of progress is being made by the ODPC in increasing public awareness of these laws and guiding organizations on compliance requirements. We expect that in due course the ODPC will start taking enforcement action in order to rein in bad practices and that this will enhance compliance with the laws.

READ; Immaculate Kassait Nominated as Kenya’s First Data Commissioner