Compliance with the Data Protection Act, Kenya: A Guide for Individuals, Organizations, and Businesses

Understanding the Basis of Data Protection

The Data Protection Act 2019 (DPA) of Kenya establishes a framework for data privacy, processing, and protection. It aligns with global standards such as the General Data Protection Regulation (GDPR) and aims to safeguard and promote privacy, regulate the commercial use of data, and centre the person in data use. Compliance with the Act ensures that individuals’ rights are respected while allowing businesses to operate legally and ethically. To have a holistic understanding of Data Privacy in Kenya, please read our earlier article titled Data Privacy in Kenya: A Comprehensive Overview

The fundamental principles of the Data Protection Act Kenya include:

• Lawfulness, Fairness, and Transparency: Data collection and processing must be lawful and transparent.
• Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes.
• Data Minimization: Only the necessary data should be collected.
• Accuracy: Personal data must be kept accurate and up to date.
• Storage Limitation: Data should not be kept for longer than necessary.
• Integrity and Confidentiality: Security measures should be in place to prevent unauthorized access, loss, or damage.

Identifying Business Processes and Activities Where the Data Protection Act Applies

Organizations and businesses must identify and assess the activities involving personal data processing. These may include:

1. Customer Data Handling: The collection and storage of customer details, such as names, contacts, and payment information. Entities must Validate the lawful basis for collection, provide privacy notices, and obtain granular consent.
2. Employee Records Management: Processing of personal and sensitive employee data. Employers must secure employee consent for biometric data, maintain separate health records, and limit background check scope.
3. Marketing and Communication: Handling contact details for promotional activities. Businesses must establish opt-out mechanisms, refresh consents biennially, and maintain suppression lists.
4. Third-Party Data Sharing: Storing information about business partners. Businesses should execute Data Processing Agreements with security measures and breach notification clauses.
5. Surveillance and Security Data: CCTV footage and biometric access systems.
6. E-commerce and Online Transactions: Storage and processing of customer data through digital platforms.
7. Healthcare and Financial Services: Processing sensitive personal and financial information.

Organizations must perform a Data Protection Impact Assessment (DPIA) for high-risk processing and implement data localization where required.

Entities must be ready to respond to personal data incidents. It’s a matter of when not if!

Sec.2 of the DPA defines a personal data breach as a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Mapping Stakeholders in the Organization for Data Protection

A successful data protection strategy requires collaboration among key stakeholders. The main actors include:

1. Data Controller: The entity that determines the purpose and means of processing personal data.
2. Data Processor: A third party that processes data on behalf of the data controller.
3. Data Protection Officer (DPO): A designated person responsible for overseeing compliance with the Data Protection Act in a company.
4. IT and Security Teams: Responsible for implementing technical safeguards to protect data.
5. Legal and Compliance Officers: Ensure policies and procedures align with legal requirements.
6. Human Resource Department: Manages employee data in compliance with the Act.
7. Marketing and Sales Teams: Must ensure that data collection for customer engagement follows legal principles.
8. Customers and Data Subjects: Individuals whose data is being processed.

By mapping these stakeholders, organizations can assign clear roles and responsibilities to enhance accountability and compliance.

Developing a Governance Framework for Data Protection

Organizations should establish a Data Protection Governance Framework to systematically manage compliance. This includes:

1. Internal Data Protection Strategy

• Data Protection Policy: Establishes internal guidelines on data handling, storage, and sharing.
• Data Privacy Statement: Defines the scope of data collection, purpose limitation, and data subject rights.
• Designation of DPO: Ensures oversight and compliance within the organization.
• Data Classification and Categorization: Clearly defining personal and sensitive data.
• Data Retention and Purpose Limitation Policies: Ensuring that data is only stored as long as necessary.
• Security Measures: Implementing encryption, anonymization, and multi-factor authentication to protect data.
• Internal Breach Notification Procedures: Documenting processes for reporting and addressing data breaches.
• Employee Training and Awareness Programs: Regular training for employees on cybersecurity and data privacy best practices.
• Privacy by Design Measures: Integrating data protection principles at the outset of business processes and technology development.

2. External Data Protection Strategy

• Data Subject Rights Compliance: Ensuring mechanisms for access, correction, erasure, and portability of personal data.
• Cross-Border Data Transfer Mechanisms: Establishing safeguards for the secure transfer of data outside Kenya.
• External Breach Notification Protocols: Clear procedures for notifying data subjects and regulators in the event of a data breach.
• Consent Management Framework: Implementing procedures for obtaining and managing user consent in compliance with the Act.
• Third-Party and Vendor Data Compliance: Ensuring all third-party data processors comply with organizational policies and the Data Protection Act.
• Incident Response Framework: Having a structured approach to identifying, responding to, and mitigating data breaches.
• Engagement with the ODPC: Ensuring compliance with notifications, approvals, and other regulatory requirements.
• Permissible Profiling and Automated Decision-Making: Defining and limiting the use of AI and automated processes in data analysis.

Compliance Challenges

Despite the importance of data protection, businesses and organizations face several challenges in achieving full compliance with the Data Protection Act, including:

1. Cost and Burden of Facilitating Data Sharing and Portability: The lack of a standard template from the ODPC makes implementation difficult.
2. Knowledge and Information Gaps: Across all levels of the organization, from executives to operational staff.
3. Documentation Gaps: In recording and managing data processing activities.
4. Procedural Gaps: Defining step-by-step processes for handling data requests and breaches.
5. Storage Gaps: Ensuring data is stored securely and for the required duration.
6. Current Location of Data: Many organizations lack clear visibility of where their data resides.
7. Inventory of Data Processing Activities: Lack of a structured approach to maintaining a data inventory.
8. Justification for a Data Protection Officer (DPO): Determining when a DPO is necessary for compliance.
9. Security of Data: Preventing unauthorized access, accidental loss, destruction, or damage.
10. Procedures for Responding to Data Subject Rights: Ensuring compliance with access, correction, and deletion requests.
11. Internal and External Policies: Need for comprehensive policies governing data protection.
12. Breach Notification Procedures: Internal and external mechanisms for timely reporting of breaches.
13. Cross-Border Data Transfers: Establishing mechanisms for legally transferring data across borders.
14. Employee Training: Regular training on data privacy and security measures.
15. Privacy by Design: Integrating privacy measures into every data processing activity.
16. Engagement with ODPC: Defining processes for seeking advisory opinions and approvals before data processing.
17. Permissible Profiling and Decision-Making: Ensuring automated decision-making aligns with legal and ethical guidelines.

How Njaga & Co Advocates Can Assist

At Njaga & Co Advocates, we specialize in helping businesses and organizations navigate the complexities of the Data Protection Act of Kenya. Our expert legal team can assist you with:

• Data protection compliance audits and assessments.
• Drafting and reviewing data protection policies and privacy notices.
• Training employees on data privacy and security best practices.
• Legal support in registering with the ODPC as a data controller or processor.
• Guidance on cross-border data transfers and international compliance.
• Incident response planning and breach notification support.

Let us help you ensure your organization is fully compliant with Kenya’s Data Protection Act. Contact Us today for expert legal advice and tailored data protection solutions.

Conclusion

Compliance with the Data Protection Act, Kenya is not just a legal requirement but also a strategic initiative that enhances trust, data security, and business reputation. Businesses can safeguard individuals’ privacy while ensuring operational efficiency by implementing internal and external data protection strategies, mapping relevant stakeholders, and adopting a robust governance framework. Regular gap analyses against ODPC Compliance Checklist and participation in Data Protection Seal Certification programs help maintain alignment with evolving regulatory expectations