Latest Posts

In our previous article, we shared our thoughts on the importance of baseline training and why it  should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits of having a sound privacy governance framework are: a. Facilitating data protection compliance An efficient governance framework guarantees that your organisation meets all its legal obligations under the current data protection laws. Through this framework your organisation can outline its compliance obligations and map out a path to compliance. Furthermore, you can set out a privacy accountability framework to ingrain a culture of data protection within the organisation. b. Promoting brand reputation An efficient privacy program also enhances your organisation’s reputation. If you misuse customer data you run the risk of severe backlash from your clients which in turn dents your corporate image. A case example is the 2016 data breach and subsequent cover-up at Uber Technologies Inc. which saw its customer perception rating drop by 141.3%. A large part of this market share was lost to rival company Lyft Inc. An elaborate privacy governance framework would shield your organisation against such risks. c. Adopting a proactive approach to data protection Merely adhering to the mandated data protection laws and regulations is a simplistic approach to privacy. Where an efficient governance framework is in place, the organisation advances from simply reacting to the laws to actively embracing data privacy and using it to your advantage. A proactive approach to data protection tailors your compliance strategy to the realities of your business. In addition, it allows you to foresee potential data risks and employ relevant mitigation strategies. d. Improving operational efficiency Another benefit of good privacy governance is improved operational efficiency in all functions that process data in the business. A privacy team is perfectly placed to identify and minimise unnecessary costs that arise from inefficient data processing. They can do this by minimising the duplication of roles, eliminating duplicated data that drives up storage costs etc. In doing so, the team would not only save your business money, but also optimise work flow. Key Considerations for your Privacy governance structure 1. The privacy vision and mission A privacy vision statement is an aspirational statement that articulates what the organisation would like to achieve regarding data protection. Through the vision statement, the company’s leadership communicates core privacy values to other stakeholders in the organisation. A mission statement is a succinct statement describing why a data privacy framework exists and the overall goals of the framework. ,Moreover, it describes some of the core principles embodied in the framework. Both these statements embed a culture of privacy within the organisation that enables compliance. When stated in outward-facing communications like privacy policies, they demonstrate to the public a care for their personal information thus reaping the benefits of trust and loyalty. A perfect example of this is Apple’s privacy mission statement which reads as follows: “Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.” 2. Data governance When crafting your privacy governance framework, you should deeply consider your organisation’s data governance system. Data governance is a system which defines what type of data is handled in your business, how it is handled, by whom, how it flows throughout the organisation etc. Personal data is the central focus of privacy compliance therefore your privacy governance framework should demonstrate a keen understanding of the data processing operations of your business. Using data maps and similar data tracking tools you can document the footprint of data from when it is collected and recorded to when it is erased and disposed. As a result, you paint a holistic picture of your organisation’s interaction with personal data which guides your privacy governance program. 3. Positioning the privacy governance function In addition, consider how your privacy function will fit within your current internal and external reporting structures. Privacy governance needs to be strategically domiciled in the business to oversee crucial data processing operations. To illustrate, complex organisations with several department heads may need decentralise privacy compliance so as to incorporate all the departments that process personal data in the organisation. Conversely, a small or mid-sized enterprise might centralise the function by assigning it one person such as the CEO. In so doing, any policies, protocols or orders that are issued can be easily tracked and implemented throughout the enterprise. Moreover, organisations with stringent statutory requirements like government agencies and multinational corporations will need to align their privacy framework to their legal reporting obligations. Basically, establishing a privacy governance framework requires a broad understanding of the upstream and downstream interaction of stakeholders and the process of decision-making and issue resolution within your organisation. 4. Resourcing your privacy governance function   a) Appointment of a Privacy Team Once you have conceptualised the privacy governance framework and defined its objectives, the next step is to appoint a team. Depending on the organisation’s needs, a single individual may manage the entire function or an all-inclusive team may take it up. The team may comprise of individuals skilled in data protection or of data privacy champions from different departments. The Data Protection Act recommends the appointment of a data protection officer(DPO)  for organisations that regularly or systematically process personal data or for those that handle sensitive personal data. However, any organisation may appoint a DPO to facilitate the privacy compliance process. The DPO must have relevant academic or professional qualifications in matters relating..

Following the enactment of the Data Protection Act (the ‘Act’), 2019 and its supporting regulations, many organisations are gearing toward compliance. Privacy compliance has several aspects to it including determination of privacy governance structures; data mapping; privacy gaps assessments; development and implementation of policy and procedural frameworks; data security; and training & awareness. When embarking on the project, it is tempting to overlook initial training and sensitisation, but if properly executed it can guarantee the success of your compliance program. Let us consider some of the reasons why a privacy leader or manager should give priority to training and awareness as they develop a privacy compliance program.

In the course of doing business, it is common to interact with personal data relating to clients, suppliers, contractors and employees. You must handle this information in accordance with privacy laws and regulations to avoid litigation, regulatory fines and sanctions or disrepute to the business. With the enactment of the Data Protection Act (the ‘Act’) and supporting regulations, many businesses are now revisiting their relationship with personal data. In this article, we consider the scope of application of the Act and how and when the exemptions apply.

One of the key aspects of data protection compliance is procurement or third party vendor compliance. The Data Protection Act provides that where a data controller desires to use the services of a data processor, then he must first ascertain that the data processor has put in place sufficient safeguards for data protection.

One of the most challenging areas in data privacy compliance is on data breach management. The Data Protection Act, 2019 places an obligation on data controllers to notify the Data Commissioner and data subjects of some types of data breaches. Further, a notification must be done within 72 hours of becoming aware of the data breach. Data Processors must also report data breaches albeit to the data controller. What is a personal data breach and in what circumstances should an organisation make a notification? We tackle some frequently asked questions on this area of data privacy..

Data Protection compliance is a buzz word right now. What is it? Who is responsible? What is the cost of non-compliance? If you are in a leadership position in a company that handles personal data, you may be wondering about these and other related questions. More so, as a board member, you may share similar concerns or you may be wondering what the board’s role should be in compliance.

If you are pursuing privacy compliance, you may need to consider appointing a Data Protection Officer (“DPO”). Although the Act provides for the designation of a DPO in certain instances, it may be worthwhile for all organisations to consider designating one. Who is a Data Protection Officer and what are the benefits of appointing one? We consider common questions associated with the role of the Data Protection Officer.

Prior to 2020, digital lending witnessed an unprecedented rise and growth in Kenya. According to a 2019 FSD report, the boom was fuelled by widespread use of mobile phones, high demand for credit and a lax regulatory environment. Digital lenders fall into two main categories: mobile banking loans(i.e. loans by licensed banks such as M-Shwari) and digital loans (i.e. loans granted by unregulated firms like Tala and Branch). The regulatory environment made it very easy for unregulated providers to enter the market. By 2020, Kenya had over 120 digital lending platforms.

Successful privacy compliance programs hinge on the development and implementation of a wide range of policies. One such policy is the privacy policy. In this FAQ we consider some of the common questions that arise in the development and implementation of privacy policies.

Post Summary: