Author: New_admin

10 Key Words in the Data Protection Act

The Kenya Data Protection Act (“DPA“)applies to all persons who handle personal data. For effective compliance, it is necessary to understand the Act’s key terms. Outlined below, is my take on some of the key terms that may be relevant in your compliance journey. Data Protection Key Terms 1. Data Subject The DPA defines a data subject as any identified or identifiable natural person who is the subject of personal data. In other words, a data subject is any human being whose data is being collected, held or processed.  2. Personal Data Any information relating to an identified or identifiable natural person i.e. a human being. The illustration below shows some common forms of personal data. 3. Sensitive Personal Data In addition to the forms of personal data described above, the DPA establishes a special category of data known as Sensitive Personal Data. In essence, this is any information that reveals a human being’s, race, health status, social origin, property details, marital status, conscience, belief, genetic data, biometric data, family details including the name of the person’s spouse, children, sex or sexual orientation.  4. Data Controller A data controller is an individual, body corporate, public authority, agency or any other similar body which, alone or jointly with others, determines the purpose and ways of processing personal data.  Examples: In summary, a data controller is any person or organization that determines the purpose and means by which data is processed. 5. Data Processor This is an individual, body corporate, public authority, agency or similar body that processes data on behalf of the Data Controller.  6. Consent The DPA defines consent as “any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.” Data Subject consent should be:- 7. Data Retention This refers to the period of time that data can be held by a controller or a processor. The DPA provides that data controllers and processors may only retain data for as long as may be reasonably necessary but it does not prescribe specific timeframes for retention of data.  Instead, data processors and controllers should develop organisational measures that adequately address data retention.   In practice,  development and implementation data retention policies and processes may suffice. 8.  Data Commissioner This is the regulatory body responsible for regulating/enforcing compliance with provisions of the DPA.  As I write this,  the appointment and establishment of the Data Commissioner’s office has not been effected. However, there are indications that the appointment may be done within the second half of 2020. 9. Data Protection Officer (DPO) The primary obligation of DPO’s appointed pursuant to the Act is to provide oversight on compliance. In particular, DPO’s advise the business on the requirements of the Act but to also oversee compliance and facilitate capacity building of staff involved in Data Protection activities. Finally, the DPO is the liaison between the Data Controller and Data Processor on all matters relating to Data Protection 10. Personal Data Breach Under the DPA, a “personal data breach” means a breach of security leading to the accidental and unlawful destruction, loss alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Personal data breaches can occur in many ways. Firstly, a personal data breach may happen accidentally e.g. an email sent to the wrong recipients. It can also arise through deliberate actions or omissions of data controllers or data processors. Other examples include breaches arising from the theft of computer devices and the alteration of personal data. Data controllers should report data breaches to the Data Commissioner within 72 hours of occurrence. In addition, inform the concerned data subject of the breach within a reasonably practical period. Data processors must report breaches within 48 hours of occurrence. Section 43 of the DPA sets out the procedure for reporting personal data breaches.

4 Steps Towards Data Protection Compliance

Kenya’s new Data Protection Act (“DPA”) was recently hailed as a trailblazer and pace setter for data privacy in Africa. The DPA came into force in November 2019. Since then, business leaders have been making concerted efforts to understand its requirements and to formulate compliance plans.

Help! My Employees Are Stealing From Me!

From my experience of working in corporate Kenya, I consider employee theft as one of the biggest risks facing businesses. In fact, according to a recent report by the Kenya National Bureau of Statistics the number of Kenyan workers convicted for employment related offences rose by 60% last year. Similarly, a recent Microsoft Security Intelligence Report noted that in 2018, the incidences of cybercrime in Kenya rose by 167%.

5 Reasons Why Your Workforce May Be Redundant

There are various stages in business and each requires different approaches to workforce management. For instance, at the startup and mid growth phase, businesses are typically looking to grow their workforce. Therefore, management is preoccupied with finding and retaining the right talent to sustain growth.

Elements of Private Companies in Kenya

Introduction Private companies are popular vehicles for carrying on business in Kenya.  Private company registration  is carried out through an online platform known as e-Citizen (accessible here). It takes up-to five days from the date of submission of all requisite information to obtain a certificate of incorporation.

Top 5 Functions of Business Contracts

Introduction In the course of running a business, you inevitably require to enter into contracts with various stakeholders.  Contracts are agreements in which one party commits to providing  products, property or services to another in exchange for payment. Contracts may be either verbal or written.

Beginner’s Guide to Commercial Leases in Kenya

Introduction The global digital economy has made it very easy to start and run businesses. All you need is a computer, internet connection and a great idea. Most start-up entrepreneurs opt to set-up online businesses due to the easy set-up procedures and low operating and maintenance costs. However, as the business expands it may become necessary to set-up a physical office for effective coordination of operations. If your business needs a physical location, you may have to consider purchasing or renting some space. For rented premises, landlords often require tenants to execute commercial leases.

To Top