As we start 2024, it is essential to consider the impactful progress in privacy and data security that characterized the past year, while also looking forward to the ever-expanding future. In 2023 we saw the groundbreaking enforcement decisions by the KE ODPC.  A number of Penalty notices (fines) were issued, to the tune of Kshs 9.3M. The tone was effectively set; non-compliance has a cost.  Equally, 2023 was also characterized by cyberattacks on key notable Kenyan firms.  Both occurrences had not only a monetary but a reputational impact to the impacted firms. 

The 2023 outlook paints a grim picture. There is the inherent risk of regulatory non-compliance and the greater risk of a cyberattack. As an SME how do I protect my firm and our operations and remain in compliance with applicable privacy laws?

This article provides a guide on what Kenyan small & medium businesses need to know about data protection.

Question: Do you collect/use/hold or do anything else with the personal information of employee’s customers, vendors? Personal information is any information that can identify a living person. This could be anything from a name or email address, telephone number, CCTV footage to medical information or a computer’s IP address. If you answer yes to the above question, the DPA 2019 applies to your business

As an SME does the data protection act even apply to me? 

11 things an SME needs to know... 

Am I a data controller or processor? - The nature of your data privacy obligations will depend on whether you are a controller, joint controller or processor.

What to do:

• Confirm your role and responsibilities in respect of your data processing activities, so you understand your data privacy obligations and how to meet them, your responsibilities to individuals and the regulator and the penalties associated with non-compliance, such as fines and other enforcement powers; and how you can work with other organizations to ensure you process personal data responsibly and respect individuals’ rights. Check https://www.odpc.go.ke/register-data-controllers/

1

2

There are registration mandates- Section 18 of the Data Protection Act, 2019 and Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 require that all public and private organizations and individuals processing personal data register with the ODPC. Data controllers or data processors whose annual turnover/ revenue is below five million shillings and employ less than ten people, are exempt from the mandatory registration under the registration regulations. However, there are sectors/categories of data controllers and data processors that are not exempt from mandatory registration. Check https://www.odpc.go.ke/register-data-controllers/  

What to do:

• Register & pay the applicable fees

3

Data Management is a necessity – Every firm carries some level of data including personally identifiable information (PII). Without such data, you’d probably struggle to fulfil a contract or complete an order, so it makes sense to know what data you carry and to what extent

What to do:

• Create a data Inventory- Document what type of data you collect, process and share including the retention timelines. This can be effectively captured in a data privacy policy. Check out our guide.

4

Your customers care what happens to their data- They want to know what you plan to do with their personal data. They also want a say in what happens to it.

What to do:

• Create a data Inventory- Document what type of data you collect, process and share including the retention timelines. This can be effectively captured in a data privacy policy. Check out our guide.

What to do:

• Review the Act- Section 30 of the DPA provides details on the Lawful processing of personal data

What to do:

• Make it easy- for data subjects to exercise their rights in an easy effective way

Is my processing Lawful? - There are limits on what you can do with people’s personal data. You need a ‘lawful basis’, which reflects the reasons you think it’s within the law for you to be doing what you’re doing. There’s no lawful basis that’s better or more lawful than the others.

5

6

Know about data subject’s rights- There’s more to data protection than storing and handling it in a safe way. At a glance A data subject has a right—

• - to be informed of the use to which their personal data is to be put;

• - to access their personal data in custody of data controller or data processor;

• - to object to the processing of all or part of their personal data;

• - to correction of false or misleading data; and

• - to deletion of false or misleading data about them

You are accountable for the responsible sharing of personal data -Almost every interaction you have with your customers involves them giving you their personal data, such as their names, telephone numbers and addresses. Sharing the data, you hold in the right way and for the right reasons can help keep your business running and improve the services you offer.

7

What to do:

• Define Data sharing Agreements- these legal instruments define the legal context in which the sharing of data is allowed having assessed the risks, adopted appropriate actions and controls to minimize the identified risks and defined provisions for the retention, further processing of data and deletion of data

Privacy requires investment- Data protection compliance is an investment, one which helps you to avoid the cost and time of dealing with issues, such as formal complaints and breaches of personal data, that can come up when a business doesn’t take effective steps to comply.

What to do:

• Secure your data- The security of your computers and other IT systems is something every small business needs to get sorted – and you should test it regularly. The law says you should keep personal data safe, using measures you think are appropriate. The risks you face will be unique to your business and how you run it, but keeping data safe often includes making sure you’ve got up-to-date anti-virus software, being careful not to leave your laptop unattended, using strong passwords and training your staff so that your security links are strong all along the chain.

8

9

It’s an inside job- Your staff, vendor and partners need to understand their role in making sure your business complies with data protection laws.

What to do:

• Train & sensitize - Regularly train and make sure this training is relevant for their role.

Data breaches must be reported – A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach.

What to do: Report & Notify

1. As a data processor you must notify the data controller within 48 hours of discovery:

2. As a data controller you must notify the ODPC within 72 hours of discovery:

3. Notify the data subject in writing within a reasonably practical period, unless the identity of the data subject cannot be established.

4. Notify other applicable authorities & agencies

10

Kenyan edition

is my processing lawful? 

Make it easy

Its an inside job

Data protection is a journey- Data protection isn’t something that can be done overnight.

Good information handling makes good business sense. You'll enhance your business's reputation, increase customer and employee confidence, and by making sure personal information is accurate, relevant and safe, save both time and money. At Risk Response Africa, we offer insights into data privacy best practices and provide end to end advisory services for organizations navigating the intricate web of personal information protection.

How Can we add Value?

Get in touch