Overcoming data protection challenges in financial institutions

The threat of data misuse and theft makes data security a key concern for consumers and regulators.

The risk of data theft and tampering has given rise to a number of data protection measures, both at the systemic and institutional levels.

The risk of infringing on a customer’s privacy is growing, given the increased frequency and granularity of the data being collected and advances in the technology for processing the same.

The enactment of the Data Protection Act into law in November 2019 was a watershed moment for Kenya.

Designed to bring the protection of personal data from misuse, the Act presents a significant step forward.

It facilitates lawful use of personal data - strengthening individual rights. The Act was operationalised through the appointment of a Data Commissioner in November 2019.

The Act governs the use, processing, and archiving of personal data. It establishes the Office of the Data Protection Commissioner and makes provision for the regulation of the processing of personal data.

It also stipulates the data producers’ rights and specifies the obligations of the data controllers and processors. Even then, the implementation of the Act has not come without challenges, especially for banks and other financial institutions.

The new data regulations coincided with changing customer attitudes to data protection, compelling banks to meet stronger privacy standards.

For starters, the implementation of the Data Protection Act has brought with it an inevitable change in culture. The Act has brought a significant change in terms of how data relating to data subjects are handled.

This has necessitated the training of staff in various financial organisations on the provisions of the Act as well as educating data subjects on the same, and their rights under the Act.

Secondly, while this law is applicable in institutions handling public data, the customers in these institutions have varying levels of knowledge. As a result, it may be challenging for customers with little education to understand their rights and the legal requirements of the Data Protection Act, including the customer’s right to request a bank to erase their data, update their data or share their data with another bank.

Thirdly, Section 32 of the Act provides for conditions of consent. Even then, banking entities should ensure this consent is “informed”, which means that the customer ought to understand data processing activities and their implications on their rights.

However, in rural and low-income communities, the data subjects may not understand their rights. Under section 40 (b) of the Act, a customer may not be aware of their right to have a bank erase all their data.

The Act gives a customer the right to request one bank to transfer data to another lender which is impractical.

The requirement seems unfair as it would appear to promote “poaching” of customers. The law calls for the hiring of a Data Protection Commissioner - imposing an extra cost on the bank. It may necessitate a restructure to accommodate the new position and the creating of a new workstation.

There may be a need to hire an advocate to formulate or review the current privacy policy, reprint Know Your Customer and Terms & Conditions documents among other costs.

Davis Ayako is the Head of Data and Analytics at SBM Bank Kenya