Introduction
Every second, in every corner of the world, people’s personal data is being processed. The European Union’s General Data Protection Regulations (“GDPR”) set a new benchmark for international privacy frameworks when it came into force on 25th May 2018. The GDPR forms the gold standard for data protection globally.
Subsequently, the Kenyan Data Protection Act 2019 (the “DPA”), which is substantially modelled on the GDPR, came into force on 25th November 2019, breathing life into Article 31 of the Constitution of Kenya, which grants every person the right to privacy. The DPA governs the processing of personal data, which is defined as data relating to an identified or identifiable natural person (the “Data Subject”). It imposes significant obligations on organisations which are established or resident in Kenya or are situated outside Kenya but process or control the personal data of data subjects located in Kenya. The DPA establishes a regulator, the Office of the Data Protection Commissioner (“ODPC”) headed by the Data Commissioner (“DC”), to oversee the implementation and enforcement of the DPA.
To date, the ODPC has been largely engaged in sensitizing the Kenyan population on the provisions of the DPA. According to the ODPC’s Strategic Plan, this will continue to be a key area of excellence as it intends to provide stakeholders with adequate information to promote compliance. The ODPC has also listed the establishment of policy frameworks as a key consideration in the Strategic Plan. We therefore anticipate the release of Sector Specific Guidelines the financial services sector.
Prior to the enactment of the DPA, data was collected by financial institutions in accordance with the Banking Act, the Central Bank of Kenya Prudential Guidelines, the Proceeds of Crime and Anti-Money Laundering Act, the Kenya Information and Communications Act, the National Payment Systems Act, the Capital Markets Act, the Insurance Act, the Retirement Benefits Act and the Consumer Protection Act. These sector-specific pieces of legislation providing for disclosure of data are still applicable. However, the DPA provides an overarching framework applicable to personal data and which mandates financial institutions to be conscious of customer privacy.
Data Protection Regulations were published in the Kenya Gazette on 14th January 2022 and came into force in 11 February 2022.
The first is the Data Protection (General) Regulations (2021) which provide for enabling rights of data subjects, restrictions on the commercial use of personal data, obligations of data controllers and processors, elements to implement data protection ‘by design or by default’, notification of personal data breaches, transfer of personal data outside Kenya, and Data Protection Impact Assessments (“DPIA”).
The Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 provide for the procedure for registration of data controllers and processors under the DPA including requirements for registration, the process for approval, renewal and exemption from mandatory registration. The provisions of these Regulations shall come into effect in July 2022. Lastly, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations 2021 provide for the procedure for lodging, admitting, and responding to complaints with the ODPC. They also provide for the issuance of enforcement and penalty notices.
With the enactment of the DPA and the Regulations, Kenya now has a comprehensive data protection framework. The financial services sector typically handles large amounts of personal data relating to clients while doing KYC procedures as well as the personal data, sensitive personal data and health data of employees. Dealing with third parties also introduces data privacy risks. Financial services organisations are therefore expected to have already taken the necessary steps to be compliant. At PwC, we have had the opportunity to support several financial services organisations to assess and develop data protection frameworks.
“Organisational data privacy framework should not be left to institutional memory. Key strategies, policies and playbooks must be documented in order to ensure a smooth transition within the organisation.”
One way of mitigating data privacy risks is through the development of data privacy governance structures, strategies, policies, procedures, notices, and guidelines that are aligned with the DPA. These enable an organisation to respond to the constantly changing data protection landscape. A clear programme plan that elaborates prioritised activities can further assist organisations to strengthen their data protection compliance framework. This could include the creation of inventories detailing the personal data processed by the organisation, building a comprehensive data register, creating a clear breach notification process, reviewing contracts with third parties to ensure they include the relevant data processing clauses, and determining appropriate and lawful ways for the organisation to transfer personal data abroad.
Having taken an inventory of the data already held, it will be important for the organisation to rethink the data processed in order to determine the data needs of the organisation. Any unnecessary or excessive data should be purged, and data processes designed to comply with the principle of data minimisation. The DPA and Regulations require organisations to conduct a DPIA to help identify and minimise data protection risks which a new process, technology, system, or device might have on an individual. Data protection legal scoping assessments can help to understand whether the DPA applies to your organisation, how it applies, the need to conduct a DPIA and the need to appoint a Data Protection officer (“DPO”).
Organisational data privacy framework should not be left to institutional memory. Key strategies, policies and playbooks must be documented in order to ensure a smooth transition in the case of employee replacement.
Entities should also conduct a gap assessment to understand how personal data is currently managed in the organisation and identify where gaps exist against the DPA. Such assessments are typically conducted by privacy professionals. A gap assessment will review impacted processes, identify gaps and offer comprehensive and practical recommendations regarding the organisations obligations as a data controller, data processor and other roles and requirements within the data processing chain.
Increased digitization and automation, globalisation as well as the exponential growth of social media has only made data privacy and protection a more complex and critical risk theme for organisations to manage. Data protection and privacy is in fact, a multidisciplinary problem, and it requires several skill sets to effectively manage the associated risks, including, legal experts, cybersecurity specialists and risk and governance experts.
Privacy risks should be a priority in the board room and directors have to ensure data privacy is given the attention required. A sound data security program should incorporate stakeholders from across the business who bring a different perspective to the issues. The board should define metrics for measuring the effectiveness of the privacy program and review the same on a quarterly basis.
Conclusion
In conclusion, organizations should take stock of the new regulatory environment that they operate in, which is marked by a new and active privacy regulator as well as increasingly aware and assertive consumers. Organizations that fail to take action now expose themselves to potential regulatory sanctions as well as loss of customer trust and brand reputation. It is therefore imperative that you choose the right advisers that can demonstrate the relevant mix of expertise, experience and competencies to support you on your privacy compliance journey.
