What it Means for Companies as the Data Protection Act Takes Effect

Good news Kenyans! The Kenyan Data Protection Act recently received a green light from the parliament.

It has been a long way coming as Kenyans continue to suffer under unfair laws and policies that infringe on their human rights, specifically in the area of data privacy and protection.

Many of us, if not all of us, have suffered a data breach or unwarranted use of our data in one way or the other. It could be those unnecessary promotional messages or emails, or those digital lending companies contacting people in their defaulters’ contact list without their permission.

Many companies have been operating with a lot of impunity, disregarding any need to protect their clients’ data and using it for their own selfish gain rather than the intended purpose. Some have even gone to the extent of selling their customers’ data.

According to the data Act, a data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence.

He or she is liable, on conviction, to a fine not exceeding Sh20,000 or to a term of imprisonment not exceeding six months, or to both fine and imprisonment according to the data protection act.

Through the #BizHumanRightsKE , #NAPKenya and #DigitalRightsKe campaigns, the Bloggers Association of Kenya(BAKE), together with other partners have been pushing for businesses to respect human rights, including the right to protect and secure their data.

This would also be made possible if the National Action Plan that was tabled in parliament is approved.

The NAP document is crucial in the sense that it compels businesses to uphold human rights, including their right to protect and secure their data, and also detailing the consequences or punishment should the businesses fail to do so.

With the appointment of the Data Protection Commissioner, it meant that we were in the right direction to realizing the importance of protecting our most valued asset, data.

The Office of the Data Protection Commissioner was established under section 5 of the Data Protection Act 2019, which President Uhuru Kenyatta signed into law in November last year.

DPC Mandate

The Data Protection Act has certain set of regulations that were approved including the data protection (General) regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

Data from Amnesty International revealed that 70 percent of Kenyans were not aware of the existence of the Data Protection Act (2019).

The data protection regulations 2021, together with the complaints handling regulations, went into force on March 14. The registration of data controllers and processors will go into effect on July 14, 2022. Companies should start getting ready for this to avoid unnecessary last minute rush to comply with the regulations.

The Data Protection (General) Regulations, 2021 provide for rights of a data subject and limitations to commercial use of such information.

It also explains the roles of data controllers and processors, the communication of data breaches and the transfer of data outside Kenya.

In compliance with the law, all data controllers and data processors will now be required to register with the office of the Data Protection Commissioner.

A company found in breach of the new data regulations face fines of up to one percent of their annual turnover after the parliamentary committee on delegated legislation passed the data laws.

 “In relation to an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to five million shillings, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower.”

The fines will require organisations to review their data privacy policies to make them easier to understand and prove compliance.

Sensitive data such as health status, marital status, sexual orientation, ethnicity, biometric data and names of children are also guaranteed special safeguard in the Act.

Additionally, the transfer of personal data out of Kenya is prohibited unless the data processors obtain express permission and prove that the information will be protected against misuse.

Are you a Kenyan company? Do you collect any customer data? If Yes, do you have a data privacy and protection policy in place? If not, this is the time to invest in one and live by it. It’s not just about following the regulations, but about upholding basic human rights that all customers deserve.



About the Author

Sharon Adisa
Sharon is a writer and editor who strives to continually further both the depth and breadth of her skills as a writer so as to contribute superior work and deliver client and customer satisfaction.

Be the first to comment on "What it Means for Companies as the Data Protection Act Takes Effect"

Leave a comment

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.