In recent years, Kenya has witnessed significant developments in data protection. One key development has been the commitment to safeguarding personal and sensitive information, which is underscored by the enforcement actions taken by the Office of the Data Protection Commissioner (ODPC). Specifically, the ODPC has established mechanisms for receiving and determining complaints related to data protection. We have been tracking decisions taken by the ODPC with the aim of understanding…

On 5th of October 2022, the Office Data Protection Commissioner (“ODPC”) issued a public statement citing a raft of enforcement measures against 40 digital lenders and a leading healthcare provider. The move marks the first enforcement activity since the ODPC’s establishment. In this article, we consider the implications of the public notice issued by the ODPC. Q: What is the Office of the Data Protection Commissioner? A: An office set up under…

Policy development is a key consideration for any organisation looking to comply with data protection laws. Data protection policies are a set of principles, rules and guidelines that define the goals of an organisation in terms of privacy compliance. They provide guidance on how to achieve compliance objectives. Apart from guidance, a sound privacy policy framework ensures consistency in data protection across your organisation, offers clarity on data protection obligations…

In our previous article, we shared our thoughts on the importance of baseline training and why it  should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits…

Conducting a privacy assessment is crucial to your data protection compliance journey. A privacy assessment is an in-depth evaluation of the personal data an organisation holds and its current data handling practices. Through this process you can identify the key privacy risks facing your organisation and the compliance gaps you need to fill. Privacy assessments involve two critical steps: data mapping and  gaps assessment. In this article, we consider the…

In our previous article, we shared our thoughts on the importance of baseline training and why it  should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits…

Following the enactment of the Data Protection Act (the ‘Act’), 2019 and its supporting regulations, many organisations are gearing toward compliance. Privacy compliance has several aspects to it including determination of privacy governance structures; data mapping; privacy gaps assessments; development and implementation of policy and procedural frameworks; data security; and training & awareness. When embarking on the project, it is tempting to overlook initial training and sensitisation, but if properly…

In the course of doing business, it is common to interact with personal data relating to clients, suppliers, contractors and employees. You must handle this information in accordance with privacy laws and regulations to avoid litigation, regulatory fines and sanctions or disrepute to the business. With the enactment of the Data Protection Act (the ‘Act’) and supporting regulations, many businesses are now revisiting their relationship with personal data. In this…

One of the key aspects of data protection compliance is procurement or third party vendor compliance. The Data Protection Act provides that where a data controller desires to use the services of a data processor, then he must first ascertain that the data processor has put in place sufficient safeguards for data protection.

One of the most challenging areas in data privacy compliance is on data breach management. The Data Protection Act, 2019 places an obligation on data controllers to notify the Data Commissioner and data subjects of some types of data breaches. Further, a notification must be done within 72 hours of becoming aware of the data breach. Data Processors must also report data breaches albeit to the data controller. What is…

Data Protection compliance is a buzz word right now. What is it? Who is responsible? What is the cost of non-compliance? If you are in a leadership position in a company that handles personal data, you may be wondering about these and other related questions. More so, as a board member, you may share similar concerns or you may be wondering what the board’s role should be in compliance.

If you are pursuing privacy compliance, you may need to consider appointing a Data Protection Officer (“DPO”). Although the Act provides for the designation of a DPO in certain instances, it may be worthwhile for all organisations to consider designating one. Who is a Data Protection Officer and what are the benefits of appointing one? We consider common questions associated with the role of the Data Protection Officer.

Prior to 2020, digital lending witnessed an unprecedented rise and growth in Kenya. According to a 2019 FSD report, the boom was fuelled by widespread use of mobile phones, high demand for credit and a lax regulatory environment. Digital lenders fall into two main categories: mobile banking loans(i.e. loans by licensed banks such as M-Shwari) and digital loans (i.e. loans granted by unregulated firms like Tala and Branch). The regulatory…

Successful privacy compliance programs hinge on the development and implementation of a wide range of policies. One such policy is the privacy policy. In this FAQ we consider some of the common questions that arise in the development and implementation of privacy policies.

Post Summary:

On 7th April 2021, the Task Force on Development of Data Protection General Regulations tabled draft data protection regulations before the Cabinet Secretary, Ministry of ICT, Innovation and Youth Affairs, Joe Mucheru. In addition, the Data Protection Commissioner published the draft Regulations on its website, paving the way for public consultation.

It has been over 100 days since the appointment of Kenya’s first Data Commissioner. The Data Commissioner is in charge of data protection compliance and enforcement. Let us consider some of the developments that have happened in this time.

In the last article, we considered the potential impact of the Data Protection Act on businesses in Kenya. This week, we consider how creating data maps can contribute to the overall success of your data privacy compliance program.

The Data Protection Act (“DPA”) became law on 25th November 2019. However, over fourteen months later, very few businesses have complied with the requirements of the Act. In fact, it is safe to say that the majority of them are yet to understand the law and the ensuing compliance obligations.

The Kenya Data Protection Act is set to impact all areas of business and more so, the HR or staffing function. In the “HR Professionals Guide to Data Protection” I gave broad insights on how the Act will affect the HR department. In this article, I consider the potential impact in the area of staff recruitment.

The operationalization Kenya Data Protection law is gaining momentum. The appointment of the Data Commissioner shall pave way for enforcement and regulation of personal data use. In this short video, I share some of the basic concepts contained in the Kenya Data Protection Act.

In a previous article, I discussed some of the reasons why a mobile app may need a privacy policy. The reasons set out there apply not only to mobile apps but also to all websites and online applications. This week, we consider some best practices for developing and deploying online privacy policies.

Have you developed or do you own a Mobile App? Does the App collect personal data such as email addresses, identification numbers, or banking information from users? If so, then it’s imperative that you have a Privacy Policy.

The Kenya Data Protection Act (“DPA“)applies to all persons who handle personal data. For effective compliance, it is necessary to understand the Act’s key terms. Outlined below, is my take on some of the key terms that may be relevant in your compliance journey. Data Protection Key Terms 1. Data Subject The DPA defines a data subject as any identified or identifiable natural person who is the subject of personal…

Kenya’s new Data Protection Act (“DPA”) was recently hailed as a trailblazer and pace setter for data privacy in Africa. The DPA came into force in November 2019. Since then, business leaders have been making concerted efforts to understand its requirements and to formulate compliance plans.