Kenya’s new Data Protection Act (“DPA”) was recently hailed as a trailblazer and pace setter for data privacy in Africa. The DPA came into force in November 2019. Since then, business leaders have been making concerted efforts to understand its requirements and to formulate compliance plans.
One thing to note is that the key enforcement agent (the Data Protection Commissioner) of the DPA is yet to be appointed. However, it is widely expected that the Commissioner’s appointment will be done within this year. Once this happens, hefty financial penalties and criminal sanctions will be imposed for non-compliance.
This Article examines some of the ways business leaders can work towards DPA compliance.
STEPS TOWARDS COMPLIANCE
1. Sensitise Key Stakeholders
The DPA is expected to radicalise the way businesses handle information belonging to both its internal (e.g. employees) and external customers. Consequently, all key stakeholders in an organisation should be made aware of the key responsibilities arising in the Act. This includes business owners, board of directors and top management.
The main area of focus for this top-level sensitisation include definition of key terms (e.g. data, data controllers, data processing, data subjects), data collection, processing and storage methods as well as the associated risks. It is also important to explore various types of breaches and the attendant consequences.
Compliance Tip! Organise DPA training and roundtable sessions for all relevant stakeholders in your organisation. Thereafter, assign DPA compliance responsibility to a key officer(s) in top management (e.g. CEO/Director). In addition, appoint a project team led by a Compliance Project Manager. These actions will ensure that the organisation maintains focus on DPA compliance.
2. Evaluate Personal Data Handled by Your Organisation
Data audits provide key insights on the way in which data flows in and out of an organisation. Some of the key reports that can be discerned from the data audit process are noted below.
- the types of personal data held by the organisation and its purpose;
- the organisation’s data collection, processing and storage methods (including who has access rights to the data)
- IT systems that interact with personal data and the data security mechanisms embedded in those systems;
- the risks that emanate from current control/processing/storage data methods and the requisite risk mitigation measures
For the audit process to be effective, all key departments in the organisation should be involved in the data mapping process. If you are not sure what departments are key, check out the tip below.
Compliance Tip! Try sending out a baseline survey to the organisation to determine which persons/departments/business units interact with personal data by either collecting, processing or storing it. Use survey to develop a Business Data Owners Register.
3. Establish a Data Governance Framework
The DPA requires organisations to establish appropriate technical and organisational measures to ensure the security and privacy of the personal data. Hence, it is imperative for business leaders to develop a data governance framework which documents compliance policies processes and tools.
One of the key policies that should be developed is the General Data Protection Policy. This policy should give proper guidance on how data shall be collected and processed within the organisation. Below is an overview of the topics to be covered in the Data Protection Policy.
- General Data Protection Principles
- Accountability and Governance
- Roles and Responsibilities
- Data Subject Consent
- Basis for Processing Data
- Individual Rights
- Data Retention
- IT and Device Security
- Transfer of Data outside Kenya
- Data Breaches
- Reporting and Compliance
In addition to the foregoing, the Governance Framework should also contain a procedure for identifying and reporting data breaches to the Data Protection Commissioner’s office.
Compliance Tip! All policies should be accompanied by appropriate processes, controls and tools for enabling compliance. Examples include data consent and privacy processes/procedures
4. Sensitise All Staff in Your Organisation on DPA Requirements
Data Management training should go beyond top management and key decision makers to include all staff the organisation. Such training creates awareness on the reputational and financial risks associated with data breaches.
Staff training also as it creates a sense of ownership of data protection and compliance. As a result, staff get comfortable with reporting any real or potential threats to data protection, privacy and security of customers, clients or employees.
Finally, staff training reduces incidences of breach that may arise out of human error. Examples of human errors include careless handling of company devices, sending information to wrong recipients, password mismanagement, misplacing physical documentation, etc.