Enactment of Kenya’s Data Protection Act of 2019 follows the path taken by the European Union in enacting the General Data Protection Regulations (GDPR) in May 2018.
The Huduma Namba registration gave impetus to the enactment of this law, owing to concerns of the safety of personal data that was being collected by the government. This was attributed to lack of legal framework that would guarantee the privacy provisions stipulated under Article 31 of the Constitution.
In this digital age, organisations have come up with different technological solutions, including digital services, online advertising, e-communication and virtual sharing of information. There is thus a paradigm shift towards the digital space, with many organisations processing more and more data in order to drive strategic growth and improve their bottom-line. Owing to the rising amount of data created and processed by organisations, there is a great possibility of violation of data security and privacy, thus the rising need for data regulation.
Almost every company today collects data from either its customers, employees, suppliers and service providers. Data collected by organisations ranges from IP addresses, search histories, location, credit card numbers, purchase histories, among others. Inevitably, every organisation is likely to touch on private data of thousands or millions of individuals at some point.
READ MORE
All you need to know about the IMEI number
Don't share your data ignorantly, Kenyans warned
We must resist attempts to clip powers of data protection body
It is therefore critical for organisations to meet all the legal requirements at the initial stages of a product life cycle, especially when collecting and storing such data, including when onboarding new employees. Collecting data without the right privacy protections in place will have adverse and long-term effects on organisations and the penalties for breach are high enough to make organisations pay attention to data privacy. For instance, the fine for breach of the Data Protection Act could be as high as three per cent of the annual turnover of an organisation.
Effectively, data privacy should now be everyone’s responsibility within an organisation and it is gradually becoming a strategic issue. Organisations need to commit to high standards of data privacy while ensuring that their employees understand their commitment to the same. A long-term data strategy will result in having an employee base that understands and values protection of data – the new gold of the digital age. Employees are the predominant custodians of data in an organisation and the highest at risk of breach of privacy, hence the need to create awareness among employees on the legal requirements relating to data privacy.
This will entail making employees understand their roles in upholding high standards of data privacy during the collection, processing and storage of data, considering the significant impacts any form of data breaches will have on the business, especially the financial and reputational risks associated with breach.
So, how can organisations create a culture of data privacy? First, organisations, especially those that control and process large amounts of personal data, should consider designating a Data Protection Officer (DPO) who has a strong understanding of the various laws relating to data privacy that the company needs to comply with.
The DPO should be designated on the basis of professional qualities and knowledge and expertise in data protection laws and practices. The DPO will be a point of contact on matters data privacy and may fulfil other duties and tasks within the organisation, to the extent that such tasks do not result in conflict of interest.
Some of the key roles of the DPO will be to monitor activities relating to processing of personal data and getting involved early enough in the data processing cycle to ensure all legal requirements are met. They will similarly raise awareness and train staff involved in data processing operations while also assigning responsibilities aimed at ensuring compliance with data protection laws. In case a data breach occurs, they will be responsible for providing effective mitigations to reduce liability of the organisation while also receiving and managing any complaints from data subjects.
The DPO will serve as the chief champion of privacy in the organisation by developing institutional data governance policies and ensuring privacy is concerned whenever key decisions about the organisation’s strategy or products are made. It will therefore be necessary for the DPO to report to the highest levels of the organisation, for instance, the Board or Management, where strategic decisions are made.
Accordingly, it will be pertinent for organizations to support the DPO in performing their tasks by providing necessary resources to carry out their tasks and ensuring that the DPO continually upskill in order to keep abreast with emerging legal requirements on data privacy. Noting the value that has been placed on data, going forward, many stakeholders will be more inclined to work with organisations that have in place robust data governance mechanisms.
Data privacy will as a result be a great brand differentiator, as it will build customer loyalty and lack of it will certainly impede organisational growth. The image and reputation of a company with strong privacy mechanisms will create trust, which is the basis for establishing a loyal customer base.