Category: Data Protection

We would like to bring to your attention a recent decision (ODPC Complaint No. 1667 of 2024: Everlyn Lavuha Mugita Suing On Behalf of NSM (Minor) vs Nova Pioneer Kenya Limited) which underscores the importance of obtaining parental consent before sharing a minor’s personal information with third parties. The Nature of the Complaint The Complainant alleged that Nova Pioneer issued a letter containing her child’s personal information to third parties, specifically a travel agency and the U.S. Embassy Consulate, without obtaining prior parental consent. Nova Pioneer students had participated in the World Scholars Debate Championship and advanced to the global rounds, scheduled to take place at Yale University. As part of the visa application process, Nova Pioneer claimed that it had requested parents of participating students to sign a parental consent form to authorize the sharing of personal data with the travel agency and the U.S. Embassy. However, the school failed to provide evidence that the Complainant had granted such consent. Data Commissioner’s Determination The Data Commissioner ordered Nova Pioneer to pay the Complainant Kenya Shillings Five Hundred Thousand (KES 500,000/-) for the following violations: Failure to obtain parental consent before sharing the minor’s personal data with third parties (the travel agency and the U.S. Embassy), in contravention of Sections 30 and 33 of the Data Protection Act. Breach of key data protection principles, including: Respect for privacy Lawfulness, transparency, and fairness Purpose limitation Data minimization and proper justification for data collection Should you need any assistance in reviewing your data protection practices or implementing proper consent procedures, please do not hesitate to reach out.

Today, we turn our focus to the recently proposed Data Sharing Code, 2024, which aims to establish a structured and ethical framework for the sharing of personal data across various sectors. Once adopted, these guidelines will have significant implications for organizations involved in data processing and sharing.Key Highlights of the Proposed Data Sharing Code1. Principles of Personal Data Sharing The Data Sharing Code establishes the following fundamental principles for sharing personal data: Lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and transparently to the data subject. In addition, the purpose of data sharing activities and engagements should be transparent to all stakeholders. Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes. Data minimization: Only the minimum data necessary for the specified purpose should be collected or processed. Accuracy: Data must be kept accurate and up to date. Storage limitation – Data must be retained only as long as necessary for the specified purpose. Integrity and confidentiality: Data processing must ensure appropriate security, integrity, and confidentiality. Timeliness: data should be shared in a timely manner Interoperability: Where necessary, data should be structured to allow for interoperability across systems. In addition, the Code imposes restrictions on the following: Data stewardship: data ownership should not be transferred pursuant to a data sharing agreement. Redistribution of data: Recipients of data cannot resell or further sell the data without authorisation. Reidentification of anonymised data: reidentification of deidentified data is strictly prohibited. Consent: Data cannot be associated with other data sets without explicit consent. Publicly funded data: In certain cases, access to publicly funded data and datasets may be restricted for a limited period if adequately justified. Justifiable restrictions may include protections for national security, personal privacy, intellectual property, or confidentiality. 2. Compliance Obligations for Private Sector EntitiesPrivate organizations will need to implement key compliance measures, including: 2.1. Establishing a Legal Basis for Data Sharing: Organizations must document the lawful basis for sharing data. 2.2. Scope of Sharing: The scope of sharing envisaged under the Code includes routine data sharing for established purposes as well as exceptional, one-off decisions to share data for ad hoc or emergency purposes, 2.3. Duties of a transferring entity: Organizations transferring personal data must: Ensure compliance with data protection principles and consider data subject rights. Determine the purpose and means of data sharing. Enter into data-sharing agreements before sharing data. Obtain written data-sharing requests per the Data Protection (General) Regulations, 2021. Inform data subjects that their personal data will be or is being stored. 2.4. Duties of Receiving Entities: Before personal data is shared, the party receiving the data must: Implement measures to protect data confidentiality and consult with the data controller on confidentiality concerns. Limit data use to the specified purpose and avoid matching shared data with other datasets for reidentification. Provide a self-assessment, site inspection, or audit upon request from the data controller. Return or securely destroy personal data upon the expiration of the sharing period. Ensure data sharing is justified by evaluating proportionality, necessity, and safeguards. 2.5. Elements of Data Sharing Agreements: Data Sharing Agreements must include the following elements: Definitions of parties Purpose and legal basis for sharing Categories of data involved Roles and responsibilities of parties Processing details and security measures Retention, deletion, and agreement period Access controls and custodial responsibilities Costs, warranties, and indemnification clauses 2.6. Data Protection Policy and Contracts: Organizations should publish and regularly update their data protection policies. Data controllers and processors must engage in written contracts. 3. Data Sharing by Public Sector Organizations3.1. Public sector organizations must: Establish a clear legal basis for data sharing per the Data Protection Act, 2019.> Implement data protection by design and default. Justify each data-sharing activity and inform individuals about data-sharing purposes. Apply proportionate measures and share only necessary data. Enforce strict access controls and ensure secure disposal of shared data. Conduct benefit-risk assessments before sharing data. 3.2. Principles for Emergency Data SharingPublic bodies may request personal data to prevent serious physical harm or loss of life, protect public health, respond to crises, safeguard vulnerable children or adults, ensure national security, or take appropriate action against unlawful activities. Such requests must be made in writing and must clearly specify the nature of the emergency, the type of data required, the deadline for data provision, the frequency of access, and any conditions under which the data holder may be contacted. 3.3. Obligations of public sector data recipientsA public sector body having received data pursuant to a request shall: – Not use the data in a manner incompatible with the data request. Implement necessary technical and organizational measures that safeguard the rights and freedoms of data subjects. Destroy data once it is no longer needed for the stated purpose and inform the data holder that the data has been destroyed. 3.4. Data Sharing for Research and Analytics: Data shared for research should be anonymized and restricted to nonprofit organizations. In addition, Personal data cannot be sold or transferred outside Kenya without explicit consent and security safeguards.4. Cross-Border Data Sharing Cross-border transfers of personal data must comply with the requirements set under Kenya’s data protection laws and the proposed Data Sharing Code, 2024. The key provisions include: 4.1. Lawful and Secure Transfers All cross-border data transfers must be conducted lawfully, fairly, and transparently, ensuring that data subjects are informed of the transfer and their rights are protected. Personal data must only be collected and transferred for specified, explicit, and legitimate purposes. If the recipient country or organization lacks adequate data protection laws, the data controller or processor must implement appropriate safeguards to protect personal data during transfer and processing. 4.2. Data Subject Consent and Safeguards Cross-border data transfers should be based on the data subject’s informed consent. The data subject must be made aware of any risks associated with the transfer and retain the right to withdraw consent at any time. • Organizations must implement reasonable technical and organizational measures, including contractual safeguards, to prevent unlawful international transfers or unauthorized government access..

In 2024, the Office of the Data Protection Commissioner (ODPC) published two sets of draft regulations, and a guidance note aimed at enhancing data protection compliance: The Data Protection (Conduct of Compliance Audit) Regulations, 2024 The Data Sharing Code (Guidance Note) In this update, we focus on the Data Protection (Conduct of Compliance Audit) Regulations. Our next update will cover the Data Sharing Code. Overview: Data Protection (Conduct of Compliance Audit) Regulations, 20241. Object and Purpose of Regulations: The proposed Regulations aim to: establish a structured framework for conducting data protection audits promote audit quality and consistency establish accreditation criteria for data protection auditors 2. Types of Audits: The Regulations make provision for two types of audits: periodic audits and special audits.3. Initiation of Audits: The ODPC may conduct a data protection audit on its own, outsource the conduct of the audit or affirm a data protection audit report submitted to it by an accredited auditor. In addition, a data controller or processor may initiate audits on their own volition. a) Audits Initiated by the Data Commissioner: The Data Commissioner may initiate a compliance audit in the following circumstances: upon receiving a complaint regarding an entity’s data protection practice as part of broader regulatory investigation based on a risk assessment; or in response to a perceived or real privacy risk or data breach notification Prior to initiating an audit, the Data Commissioner shall provide a 30-day notice to the data controller or data processor.b) Audits Initiated by data controllers or data processors: A data controller or processor may, on their own volition, initiate a data protection audit to: – proactively assess their data protection compliance posture; or as part of a corrective measure following a data breach or other data protection concerns. A data controller or processor initiating a voluntary audit may engage an auditor accredited under the Act to conduct the audit.4. Accreditation of Data Protection Auditors: The Regulations establish a requirement for accreditation of independent data protection auditors. To be accredited, auditors must submit the following details to the ODPC: – Firm/establishment details Proof of academic and professional qualifications in data protection. Relevant experience in data protection audits. Evidence of adequate professional indemnity cover. Accreditation will attract a fee of Kes. 150,000/-. The accreditation is valid for a certain period of time although this period has not been defined in the Regulations. Upon expiry, the accreditation is renewable at a fee of Kes. 100,000/-The ODPC will maintain a public register of accredited auditors and may reject or revoke an application for accreditation. 5. The Audit Process: The Data Commissioner or the accredited data protection auditor shall, in conducting the audit, follow a structured process which shall include: – developing a detailed audit plan outlining the methodology, scope and timeline for the audit. conducting relevant interviews with data controllers or processors reviewing relevant documentation and records related to data processing activities including: data protection policies and procedures records of data processing activities data security measures and records of data subject requests and responses. The auditors may also perform necessary tests or assessments to evaluate compliance with the requirements of the Act.7. Data Controller Responsibilities in the Audit Process: Data controllers or data processors must provide the auditor with reasonable access to all relevant information and documentation necessary for conducting the audit, designate a contact person and fully cooperate with the auditor to address any non-compliance issues.8. The Auditor’s Responsibilities: Accredited auditors must: – conduct the audit in accordance with professional standards and best practices. plan the scope of the audit effectively based on specific needs employ appropriate audit methodologies to assess compliance with data protection requirements maintain confidentiality and security of all information received during the audit process. Avoid conflict of interests. 9. Reporting Audit Findings: Auditors must prepare a written audit report detailing the scope and methodology of the audit, as well as the findings and recommendations for corrective action. The data controller must receive the report and be given a reasonable timeframe to respond to the findings and recommendations.10. Enforcement Actions: Following an audit, the Data Commissioner may: – issue recommendations for improvement to the data controllers or processors, issue enforcement or penalty notices requiring the data controller to take specific corrective action initiate further investigation for non-compliance 11. Cooperation and Confidentiality: The Data Commissioner, the auditor, and the data controller or data processor shall all cooperate in a professional and timely manner throughout the audit process. All information obtained in the audit shall be treated as confidential except where disclosed with the authorisation of the data controller or processor or required to be disclosed by law. In addition, auditors must implement appropriate safeguards to protect the confidentiality of personal data accessed during the audit process 12. Reporting by the ODPC: The ODPC shall prepare and publish an annual report on the implementation of the Regulations, including the number of audits conducted and the audit findings and actions taken. The report shall be made available to the public to promote transparency and accountability. Next Steps:: The draft regulations are currently undergoing public participation before being tabled in Parliament for adoption. We will keep you informed of further developments. In the meantime, we recommend that you continue enhancing your privacy compliance program to minimise regulatory risks.New Book Alert!:As data protection compliance continues to evolve, we are excited to announce the upcoming release of our book, “Data Protection in Kenya: Case Law”. This book provides: A detailed analysis of key data protection cases in Kenya. Insights into regulatory enforcement trends. Lessons for businesses, legal professionals, and compliance officers. This resource will be an essential guide for anyone looking to navigate Kenya’s data protection landscape effectively. Order your copy here

In recent years, Kenya has witnessed significant developments in data protection. One key development has been the commitment to safeguarding personal and sensitive information, which is underscored by the enforcement actions taken by the Office of the Data Protection Commissioner (ODPC). Specifically, the ODPC has established mechanisms for receiving and determining complaints related to data protection. We have been tracking decisions taken by the ODPC with the aim of understanding the impact of the decisions on our clients’ operations. Below is a highlight of the key decisions: In the case of Liburuwen Lesanguru Kweri v Beehive Media Limited, [ODPC Complaint No. 0740 of 2023], Beehive Media Limited (Beehive”), was contracted by Capwell Industries Limited to provide advertising services for their maize flour products (“Soko” and “Amaize”). In executing its mandate, Beehive obtained an image from a public and royalty free image repository known as Shutterstock for use in a Father’s Day campaign. It was not in dispute that the image was obtained from Shutterstock and that there was no express consent from the data subject for use of the image. In its defence, Beehive stated that: – The ODPC determined that Beehive’s action of using an individual’s stock image for advertisements without their express consent violated their rights. However, the ODPC dismissed the complaint on the basis that Beehive had taken immediate steps to resolve the matter including pulling down the advertisements in dispute, terminating the contract they had with Shutterstock Inc., and reaching out to the data subject to try and settle the matter amicably. In the case of Isaya Lemerketo v Kenya School of Law [ODPC Complaint No. 0608 of 2023], The Kenya School of Law (“School”) made flyers featuring the complainant’s image and distributed them on their social media platforms (Instagram, Facebook & Twitter) and hardcopy marketing collateral without his consent. Upon receipt of the complaint, the School withdrew the flyers within 24 hours, took down the social media posts and communicated its actions to the data subject. The ODPC determined that the School’s action of using a person’s image without their consent violated his rights over his image. However, the ODPC commended the immediate actions taken by the School to resolve the matter and marked the complaint as resolved. In Edith Andeso v Olerai Schools Limited, [ODPC Complaint No. 725 of 2023], Olerai Schools Limited (“School”). Prior to termination of employment, the complainant was a full-time teacher at the School. After she was terminated, she raised a complaint that the School took photos of her and posted them on the School’s Facebook page without her consent. She further asserted that the photo created a perception that she was a member of the School thereby limiting her employment options. In its defence, the School stated that: – The ODPC determined that the complainant had knowledge of the purpose and context in which the photos were to be used and by her clear affirmative action, she consented to the processing of her personal data by the School. Therefore, the ODPC dismissed the complaint. In the case of Christine Wairimu Muturi v Roma School Uthiru, [ODPC Complaint No. 0841 of 2023], the complainant alleged that she was a parent at Roma School, Uthiru and that the School had processed images of pupils (minors) on TikTok, without the express consent of their parents or guardians. The School created a WhatsApp group through which it informed parents of its intention to publish minors’ images and videos on TikTok. This action prompted the parents to raise objections and leading to the filing of the complaint. In its response to the Data Commissioner, the School stated, without producing evidence that: – The Data Commissioner conducted independent investigations and determined that the respondent operates a TikTok and Facebook page on which it posted images and videos of pupils. As result, the Data Commissioner held that the School had failed to abide by the requirements of the Data Protection Act including the principles of data protection and protecting the rights of minors by seeking consent. The Commissioner issued an Enforcement Notice and a Penalty Notice and fined the School the sum of Kenya Shillings Four Million, Five Hundred Thousand (Kes. 4, 500,000/-) In the case of Abdinur Kassim & Luqman Hussein Kassim (Minor suing through his father and next friend) v Joyce Njoki Ngugi T/A Kora Spa [ODPC Complaint No. 0660 of 2023], the complainant alleged that the respondent processed the personal information relating to the minor for commercial purposes without consent of the data subject and minor’s guardian. The complainant visited the respondent’s place of business at Fedha Business Park Embakasi with the sole purpose and intention of obtaining barber services. While receiving the services, agents of the respondent took their photographs, without offering any explanation. Five days after their visit, the complainants discovered that the respondent had published the photographs on Facebook and Instagram without their consent. In response, the respondent denied the complainant’s allegations and stated that: The ODPC determined that posting the images on the respondent’s social media pages amounted to commercial use of personal data which required consent. The respondent failed to demonstrate that they had obtained the express consent of the complaint and his guardian. Further, the ODPC was unable to establish how long the images remained online after publication and before being pulled down. Therefore, the ODPC issued the respondent with an Enforcement Notice. In the case of Perpetual Wanjiku v Casa Vera Lounge, [ODPC Complaint No. 0607 of 2023], the Respondent, a popular bar and restaurant joint, captured images of the data subject and featured them on their  Facebook, Instagram and WhatsApp platforms without her consent . The Complainant filed a complaint alleging breach of privacy. In response to the complaint, the respondent stated that: – The ODPC conducted a site visit and ascertained that the notice was not visible to customers upon their entry to the respondent’s premises. As such, it was not considered to be sufficient notice as envisaged in the Act. Consequently, the..

On 5th of October 2022, the Office Data Protection Commissioner (“ODPC”) issued a public statement citing a raft of enforcement measures against 40 digital lenders and a leading healthcare provider. The move marks the first enforcement activity since the ODPC’s establishment. In this article, we consider the implications of the public notice issued by the ODPC. Q: What is the Office of the Data Protection Commissioner? A: An office set up under the Data Protection Act, 2019 (“The Act”) to regulate personal data processing in Kenya . The Data Commissioner heads the ODPC. Her powers include investigation of complaints made under the Act and imposition of fines.Q: Why did the ODPC put the digital lenders on notice? A: According to the notice, members of the public raised several complaints to the Data Commissioner regarding the lenders’ personal data processing practices. The notice did not specify the nature or bases of the complaints. However, we believe the complaints arise from the lenders’ use of data especially during debt collection. An earlier article we penned on this issue sheds further light on this. Since publishing the article, we have received numerous complaints from borrowers centered on privacy intrusive practices such as debt shaming, most of which we have referred to the ODPC.Q: What is the procedure for handling complaints? A: The Act and the Data Protection (Complaints Handling and Enforcement Procedures 2021) (“the Enforcement Regulations”) set out the procedure for handling complaints. In summary, upon receipt of a complaint, the Data Commissioner should notify the respondent of the complaint and require a response within twenty one days. If the respondent fails to respond, the Data Commissioner may take appropriate enforcement measures. Apart from inviting the respondent to make submissions, the Data Commissioner has power to investigate the complaint. This includes the power to summon persons to produce documents or give submissions on the complaint. Once the investigation ends, the Data Commissioner must make a determination based on the findings. The determination options include issuance of enforcement and penalty notices, dismissal of the complaint, recommendation for prosecution or an order for compensation to the data subject. Q: What enforcement action was proposed against digital lenders? A:  According to the notice, the ODPC shall conduct a preliminary documentary assessment and audit against 40 digital lenders listed in the notice. The Act does not define the term “preliminary documentary assessment and audit”. However, it gives the Data Commissioner the power to carry out periodical audits of the processes and systems of data controllers and processors to ensure compliance. Q:What does a documentary assessment and audit entail? A: Since the purpose of the audit is to determine the extent of compliance, the audit will most likely focus on the following aspects:- appropriateness of data protection policies in place lawful bases for processing personal data the extent to which automated data processing profiles borrowers and extent of borrower protection in these instances consent management ; how and when lenders seek consent to process personal data the extent of use of data protection impact assessments to comply with the Act evidence of staff training on data protection lender’s registration status Notably, the ODPC did not issue any official guidelines or regulations on the conduct of preliminary documentary assessments and audits.Q: If the outcome of the audit is negative, what are the likely consequences? A: The enforcement powers of the regulator as per the Act and the Enforcement Regulations include the power to issue enforcement notices, penalty notices, administrative fines or make orders for compensation of the complainants. Q: What is an enforcement notice? A: Under section 58 of the Act, the Data Commissioner has power to issue an enforcement notice to any person that fails to comply with the provision of the Act. The notice may be issued by email, physical delivery or by post. In terms of content, enforcement notices must specify the provision of the Act contravened and the requisite compliance requirements. In addition, the notice must specify a compliance period of not less than twenty one days. Finally, the notice must specify whether the person has any right to appeal. Q: What rights does a person have upon being issued with enforcement notices? A: A person served with an enforcement notice may apply for review of the notice in two instances. First, a review is possible on account of change of circumstances or where new facts have arisen. Additionally, a right to review arises if the failure outlined in the notice is curable without carrying out some of the requirements of the notice. Apart from review, a person has the right to appeal to the High Court, against any decision arising out of the enforcement notice. Such an appeal must be filed within thirty (30) days of the date of service of the enforcement notice.Q: What is a penalty notice? A: Where a person fails to comply with an enforcement notice, the Data Commissioner has power to issue a penalty notice. A penalty notice obliges the respondent to pay the Data Commissioner the administrative fine specified in the notice. The notice specifies the reasons for imposition of the fine. In addition, it also outlines payment modalities and the respondent’s right to appeal. The maximum amount leviable under the notice is Kes. 5,000,000/- one 1% of gross annual turnover whichever is lower. In addition, a penalty notice may impose a daily fine of not more than ten thousand shillings for each breach identified until the breach is rectified. Q: What enforcement action did the ODPC take against the healthcare provider? A: According to the public statement, the ODPC issued an Enforcement Notice against the healthcare provider for breaching the Kenya Data Protection laws. In particular, the ODPC stated that a patient raised a complaint to the effect that after visiting the hospital, staff inappropriately contacted him/her. The ODPC ordered the healthcare provider to take certain specific actions to mitigate or eliminate the breach within 30 days.Q: How will the complainants benefit from the enforcement measures? A: Apart..

Policy development is a key consideration for any organisation looking to comply with data protection laws. Data protection policies are a set of principles, rules and guidelines that define the goals of an organisation in terms of privacy compliance. They provide guidance on how to achieve compliance objectives. Apart from guidance, a sound privacy policy framework ensures consistency in data protection across your organisation, offers clarity on data protection obligations and promotes accountability within the business.This article is part of our ‘Roadmap to Data Protection Compliance’ series, which gives practical guidelines on how to comply with data protection laws and regulations. In this article, we outline the 5 basic data protection policies all organisations need to develop for compliance. Namely: Data Protection Policy Data Retention Policy Privacy Policy/Notice Information Security Policies Incident Response Policy/Plan 1. Data Protection Policy The first policy you need for privacy compliance is a Data Protection Policy. This is an internal policy which outlines your organisation’s approach to safeguarding personal data. It communicates to staff your expectations on how they should collect, use, disclose or otherwise process personal data. In addition, it enables an employer to communicate to staff the consequences of internal non-compliance. Through your data protection policy, you can address the following matters: First, the privacy governance structure within your organisation and the various roles and responsibilities assigned to each stakeholder. The data protection principles and the measures that you have put in place to comply with the principles Data subject rights handling including the mechanisms you have in place to receive and respond data subject rights Your expectations on matters such as data retention, data security, data breach prevention and response, direct marketing, etc. Any data protection measures that are unique to your business. For instance, a journalism company, health-related organisation, children organisation etc., will have a different approach to data protection than other business organisations. How staff should escalate privacy concerns within the organisation Lastly, the consequences of failing to comply with the policy 2. Data Retention Policies One of principles outlined under Section 25 of the Data Protection Act is storage limitation. This principle means that you should only keep personal information for as long as is necessary for the purposes of collection. Failing to define retention limits is a violation of the Act. A data retention policy is a set of guidelines that keep track of how long an organisation retains information and how to dispose of the information when it is no longer needed. Information here means both electronic/digital format as well as hard-copy format. In many cases, a retention policy covers all types of information processed within an organisation and does not necessarily confine itself to personal data. However, because the law mandates that personal data should not be retained indefinitely, you should the specify retention limits for personal data. The typical contents of a retention policy are: – Clear internal procedures for deletion and destruction The data kept in your organisation and the duration it is stored Justification for the retention period for each type of data A determination of which personal data should be backed-up and the duration of the back-up When defining retention periods for your data, consider the purpose for which you collected the information – If your lawful purposes for processing personal data still apply, you can continue to hold the data. However, when the purpose expires, consider your legal and regulatory requirements to retain data. For example, as evidence for tax and audits, or if necessary, in contemplation of potential lawsuits. Retention periods are not usually defined in data protection laws but you can refer to other relevant statutes e.g., the income tax Act or Companies Act. Moreover, consider whether you require the data for decision-making or business continuity e.g., AGM minutes or director and shareholder information. 3. Privacy Policies or Notices A Privacy Notice, commonly referred to as a Privacy Policy, communicates how an organisation safeguards the personal data it interacts with. It is sometimes confused for the Data Protection Policy. However, the key distinguishing factor between the two is that Data Protection Policy is an internal document addressed to staff within the organisation while Privacy Notices are outward facing policies directed at the individuals whose personal data is collected and processed by an organisation. A Privacy Notice can be directed at employees (Employee Privacy Notice), Website users (Website Privacy Notice), Clients or customers (Privacy Notice) etc.Privacy Notices typically contain: The identity and contact details of the data controller or processor, including contact details for your Data Protection Officer. An explanation of:- Why you collect and use personal data How you use and disclose the data How long you keep the data Your legal basis for processing. And any other special considerations e.g., regarding children’s data, health data, any International Transfers etc. Privacy Notices are the main platforms through which organisations communicate with data subjects on how they handle their personal data. Your business discharges its transparency obligation through these documents. Because your customers, clients, employees etc. heavily rely on your Privacy Notice, a misleading, incomplete, inaccessible or poorly worded document may result in massive fines, sanctions and reputational risks. This was the case in Facebook Inc. settlement against America’s Federal Consumer Protection Agency FTC where Facebook suffered huge financial and regulatory sanctions for deceiving its users on their privacy policy. To avoid this ensure your notices are accurate, clear and easy to understand especially for vulnerable groups like children. Further, ensure the notice is readily accessible to the reader at the relevant time i.e., before processing begins. 4. Information Security Policies Information Security Policies set out your organisation’s guidelines for detecting, preventing, and managing risks to business’ information. These risks include the loss, theft, copying, or any other derogation of information integrity. All the information you hold may be at risk of derogation including soft copy, hard copy or even oral information. Information security risks can originate internally or externally; and could be either malicious or accidental; No matter..

In our previous article, we shared our thoughts on the importance of baseline training and why it  should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits of having a sound privacy governance framework are: a. Facilitating data protection compliance An efficient governance framework guarantees that your organisation meets all its legal obligations under the current data protection laws. Through this framework your organisation can outline its compliance obligations and map out a path to compliance. Furthermore, you can set out a privacy accountability framework to ingrain a culture of data protection within the organisation. b. Promoting brand reputation An efficient privacy program also enhances your organisation’s reputation. If you misuse customer data you run the risk of severe backlash from your clients which in turn dents your corporate image. A case example is the 2016 data breach and subsequent cover-up at Uber Technologies Inc. which saw its customer perception rating drop by 141.3%. A large part of this market share was lost to rival company Lyft Inc. An elaborate privacy governance framework would shield your organisation against such risks. c. Adopting a proactive approach to data protection Merely adhering to the mandated data protection laws and regulations is a simplistic approach to privacy. Where an efficient governance framework is in place, the organisation advances from simply reacting to the laws to actively embracing data privacy and using it to your advantage. A proactive approach to data protection tailors your compliance strategy to the realities of your business. In addition, it allows you to foresee potential data risks and employ relevant mitigation strategies. d. Improving operational efficiency Another benefit of good privacy governance is improved operational efficiency in all functions that process data in the business. A privacy team is perfectly placed to identify and minimise unnecessary costs that arise from inefficient data processing. They can do this by minimising the duplication of roles, eliminating duplicated data that drives up storage costs etc. In doing so, the team would not only save your business money, but also optimise work flow. Key Considerations for your Privacy governance structure 1. The privacy vision and mission A privacy vision statement is an aspirational statement that articulates what the organisation would like to achieve regarding data protection. Through the vision statement, the company’s leadership communicates core privacy values to other stakeholders in the organisation. A mission statement is a succinct statement describing why a data privacy framework exists and the overall goals of the framework. ,Moreover, it describes some of the core principles embodied in the framework. Both these statements embed a culture of privacy within the organisation that enables compliance. When stated in outward-facing communications like privacy policies, they demonstrate to the public a care for their personal information thus reaping the benefits of trust and loyalty. A perfect example of this is Apple’s privacy mission statement which reads as follows: “Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.” 2. Data governance When crafting your privacy governance framework, you should deeply consider your organisation’s data governance system. Data governance is a system which defines what type of data is handled in your business, how it is handled, by whom, how it flows throughout the organisation etc. Personal data is the central focus of privacy compliance therefore your privacy governance framework should demonstrate a keen understanding of the data processing operations of your business. Using data maps and similar data tracking tools you can document the footprint of data from when it is collected and recorded to when it is erased and disposed. As a result, you paint a holistic picture of your organisation’s interaction with personal data which guides your privacy governance program. 3. Positioning the privacy governance function In addition, consider how your privacy function will fit within your current internal and external reporting structures. Privacy governance needs to be strategically domiciled in the business to oversee crucial data processing operations. To illustrate, complex organisations with several department heads may need decentralise privacy compliance so as to incorporate all the departments that process personal data in the organisation. Conversely, a small or mid-sized enterprise might centralise the function by assigning it one person such as the CEO. In so doing, any policies, protocols or orders that are issued can be easily tracked and implemented throughout the enterprise. Moreover, organisations with stringent statutory requirements like government agencies and multinational corporations will need to align their privacy framework to their legal reporting obligations. Basically, establishing a privacy governance framework requires a broad understanding of the upstream and downstream interaction of stakeholders and the process of decision-making and issue resolution within your organisation. 4. Resourcing your privacy governance function   a) Appointment of a Privacy Team Once you have conceptualised the privacy governance framework and defined its objectives, the next step is to appoint a team. Depending on the organisation’s needs, a single individual may manage the entire function or an all-inclusive team may take it up. The team may comprise of individuals skilled in data protection or of data privacy champions from different departments. The Data Protection Act recommends the appointment of a data protection officer(DPO)  for organisations that regularly or systematically process personal data or for those that handle sensitive personal data. However, any organisation may appoint a DPO to facilitate the privacy compliance process. The DPO must have relevant academic or professional qualifications in matters relating..

Conducting a privacy assessment is crucial to your data protection compliance journey. A privacy assessment is an in-depth evaluation of the personal data an organisation holds and its current data handling practices. Through this process you can identify the key privacy risks facing your organisation and the compliance gaps you need to fill. Privacy assessments involve two critical steps: data mapping and  gaps assessment. In this article, we consider the value of a privacy assessment to your privacy compliance program. We describe the best way to do this assessment in order to optimise your organisation’s compliance program. This article is part of our ongoing ‘Roadmap to Data Protection Compliance’ series which gives practical guidelines to businesses looking to comply with data protection laws. Previous articles in this series tackled initial training and sensitisation as a first step towards compliance and establishing a privacy governance framework as the second step. What is a privacy assessment? A privacy assessment is an analysis of how personal data is collected, used, shared, and maintained within an organisation. It is a risk management process that helps institutions identify the impact of their data processing operations on individuals’ privacy. Once data protection issues are identified, your organisation can develop remedial or mitigating actions to ensure compliance with data protection laws. Why conduct a privacy assessment? Privacy assessments give key privacy compliance stakeholders in your organisation a keen understanding of the personal data you collect and how it is processed. Privacy assessments can serve you in the following ways: – How to Carry out a Privacy Assessment There are two steps to carrying out a privacy assessment. The first is data mapping. A data map is a complete record or inventory of all the personal data processed in your organisation. This inventory provides an overview of how the data flows from its initial collection to the point it is erased. For a more in-depth look at how mapping supports privacy compliance click here. The second step is a gap analysis. This is a critical evaluation of all the data maps to identify data privacy gaps. In essence, you assess the extent of current compliance with data protection laws and regulations. You also identify the existing risks and data protection gaps in the processing of personal data in your organisation. Some best practices for privacy assessments include: Conclusion The privacy assessment process identifies all data protection gaps and privacy risk factors. We see how data has come into the organisation and how it moves, how it is used, how it is stored and secured and how it is finally erased. Your organisation can then implement the recommendations from the privacy assessment report, allowing you to develop an effective compliance program. Next week we continue with the ‘Roadmap to Data Protection Compliance‘ series by advising on the key policies required for data protection compliance.

In our previous article, we shared our thoughts on the importance of baseline training and why it  should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits of having a sound privacy governance framework are: a. Facilitating data protection compliance An efficient governance framework guarantees that your organisation meets all its legal obligations under the current data protection laws. Through this framework your organisation can outline its compliance obligations and map out a path to compliance. Furthermore, you can set out a privacy accountability framework to ingrain a culture of data protection within the organisation. b. Promoting brand reputation An efficient privacy program also enhances your organisation’s reputation. If you misuse customer data you run the risk of severe backlash from your clients which in turn dents your corporate image. A case example is the 2016 data breach and subsequent cover-up at Uber Technologies Inc. which saw its customer perception rating drop by 141.3%. A large part of this market share was lost to rival company Lyft Inc. An elaborate privacy governance framework would shield your organisation against such risks. c. Adopting a proactive approach to data protection Merely adhering to the mandated data protection laws and regulations is a simplistic approach to privacy. Where an efficient governance framework is in place, the organisation advances from simply reacting to the laws to actively embracing data privacy and using it to your advantage. A proactive approach to data protection tailors your compliance strategy to the realities of your business. In addition, it allows you to foresee potential data risks and employ relevant mitigation strategies. d. Improving operational efficiency Another benefit of good privacy governance is improved operational efficiency in all functions that process data in the business. A privacy team is perfectly placed to identify and minimise unnecessary costs that arise from inefficient data processing. They can do this by minimising the duplication of roles, eliminating duplicated data that drives up storage costs etc. In doing so, the team would not only save your business money, but also optimise work flow. Key Considerations for your Privacy governance structure 1. The privacy vision and mission A privacy vision statement is an aspirational statement that articulates what the organisation would like to achieve regarding data protection. Through the vision statement, the company’s leadership communicates core privacy values to other stakeholders in the organisation. A mission statement is a succinct statement describing why a data privacy framework exists and the overall goals of the framework. ,Moreover, it describes some of the core principles embodied in the framework. Both these statements embed a culture of privacy within the organisation that enables compliance. When stated in outward-facing communications like privacy policies, they demonstrate to the public a care for their personal information thus reaping the benefits of trust and loyalty. A perfect example of this is Apple’s privacy mission statement which reads as follows: “Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.” 2. Data governance When crafting your privacy governance framework, you should deeply consider your organisation’s data governance system. Data governance is a system which defines what type of data is handled in your business, how it is handled, by whom, how it flows throughout the organisation etc. Personal data is the central focus of privacy compliance therefore your privacy governance framework should demonstrate a keen understanding of the data processing operations of your business. Using data maps and similar data tracking tools you can document the footprint of data from when it is collected and recorded to when it is erased and disposed. As a result, you paint a holistic picture of your organisation’s interaction with personal data which guides your privacy governance program. 3. Positioning the privacy governance function In addition, consider how your privacy function will fit within your current internal and external reporting structures. Privacy governance needs to be strategically domiciled in the business to oversee crucial data processing operations. To illustrate, complex organisations with several department heads may need decentralise privacy compliance so as to incorporate all the departments that process personal data in the organisation. Conversely, a small or mid-sized enterprise might centralise the function by assigning it one person such as the CEO. In so doing, any policies, protocols or orders that are issued can be easily tracked and implemented throughout the enterprise. Moreover, organisations with stringent statutory requirements like government agencies and multinational corporations will need to align their privacy framework to their legal reporting obligations. Basically, establishing a privacy governance framework requires a broad understanding of the upstream and downstream interaction of stakeholders and the process of decision-making and issue resolution within your organisation. 4. Resourcing your privacy governance function   a) Appointment of a Privacy Team Once you have conceptualised the privacy governance framework and defined its objectives, the next step is to appoint a team. Depending on the organisation’s needs, a single individual may manage the entire function or an all-inclusive team may take it up. The team may comprise of individuals skilled in data protection or of data privacy champions from different departments. The Data Protection Act recommends the appointment of a data protection officer(DPO)  for organisations that regularly or systematically process personal data or for those that handle sensitive personal data. However, any organisation may appoint a DPO to facilitate the privacy compliance process. The DPO must have relevant academic or professional qualifications in matters relating..

Following the enactment of the Data Protection Act (the ‘Act’), 2019 and its supporting regulations, many organisations are gearing toward compliance. Privacy compliance has several aspects to it including determination of privacy governance structures; data mapping; privacy gaps assessments; development and implementation of policy and procedural frameworks; data security; and training & awareness. When embarking on the project, it is tempting to overlook initial training and sensitisation, but if properly executed it can guarantee the success of your compliance program. Let us consider some of the reasons why a privacy leader or manager should give priority to training and awareness as they develop a privacy compliance program.