Kenyan Issues New Guidance for Protecting Personal Data

11 months ago 41
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

The Kenyan flag on a computer monitor screen

Source: David Makings via Alamy Stock Photo

Kenya's Office of the Data Protection Commissioner (ODPC) this week issued new guidance notes for data protection in the education, communications, and digital credit sectors, as well as a general guide for processing health data.

They build off of the Data Protection Act (DPA), the country's primary data protection legislation (and the impetus for the formation of the ODPC), which came into effect on November 25, 2019.

To help organizations adhere with the rules, the ODPC had previously published four so-called guidance notes pertaining to consent, elections, registration of Data Controllers and Data Processors, and a Data Protection Impact Assessment.

"Our law is quite young," Rachael Shitanda, deputy chair and vice chair of East Africa for the Africa Information & Communication Technologies Alliance (AfICTA), points out, "but I feel like with how the Office of the Data Protection Commissioner is going, we are building to very solid policy controls."

Dark Reading has reached out to the ODPC for comment on this story.

Data Protection Ramps Up in Kenya

DPA is already more than four years old, and "with COVID19, and all of the other things that were happening in the world, it didn't really have a big impact until more recent years," Shitanda says.

The effect has since been significant. Some months back, as just a few examples, the ODPC fined a restaurant — around $12,500 worth of Kenyan shilling, for posting photos of customers on social media — a digital credit provider — around $20,000, for collecting third-party contact information without user consent — and a school — just over $30,000, for publishing pictures of children without their parents' consent — all in accordance with DPA. 

Such conflicts between Kenyan businesses and the new data rules can be attributed to at least a couple of factors.

"There's a lot of compliance pushback. People are trying to get away with things, or trying to make the law seem like it's too constraining. But you know, with organizations there is always conflict when it comes to how much they can be regulated," Shitanda says.

More than that, she says, "I think there has been confusion. Because the law was enacted in 2019 — very recent — so a lot of people are unaware, or have a vague idea of what it actually means."

Raising Awareness Across the Country

Guidance notes for specific sectors are a marked step towards spreading awareness about Kenya's new data laws.

"They need to make it a conversation," Shitanda says of government regulators, citing the West as a model. "You can clearly see that people in the UK and maybe in the US are really aware about what their rights are when it comes to data sharing and their information, and how they can protect themselves, and how litigation works in case of infringement of their rights. Those are the kinds of things that we need to foster."

"We also need to foster confidence in business, because businesses play the biggest part when it comes to information asset management. We need to give them confidence so that they are able to report incidents — a transparent way of interaction," she adds.

For now, "the uptake is good," she says. "Information is being shared by the government with regards to personal data protection laws, and people are becoming more aware of their rights."

Read Entire Article