Many organizations in Kenya are yet to start implementing the Data Protection Act (DPA) of 2019. Most of them are still in the phase of getting an understanding of the DPA and assessing the implications for their operations. Others have already embarked on the process of developing systems to enable them to comply.
Many local organizations that are encountering data protection laws for the first time “do not have adequate financial, HR and technical resources to implement effective data protection compliance frameworks.”
According to data from a study conducted by Infotrak Research Consulting Limited in May 2021, 70 percent of Kenyans are still not aware of their rights under the DPA and how to go about exercising them.
The act provides citizens with the right to be informed of the use to which their personal data is to be put, the right to access their personal data, the right to object to the processing of your personal data, the right to correction or deletion of misleading or false data and the right to withdraw consent at any time.
A key area of concern is that many organizations operating in Kenya with large data collection and processing operations are foreign-owned entities. This presents a significant amount of risk of the personal data of Kenyans being processed in foreign jurisdictions due to cross-border transfers of data.
To increase their level of compliance, PwC advises institutions and organizations to appoint a Data Protection Officer (DPO) to guide compliance with the DPA and also act as a contact point for customers and the ODPC concerning data privacy matters. Additionally, they should conduct employee data protection and privacy training and awareness to key stakeholders regularly.
Further, institutions that collect personal data need to develop privacy notices to inform customers and the wider public of their rights under the DPA and how the institution handles personal data. They also need to conduct data protection gap assessments to identify potential privacy risks and take measures to remediate any weaknesses identified.
To deal with data privacy breaches, Mr. Githaiga advises institutions to put in place robust breach incident management processes that allow rapid identification and mitigation. This may involve notifying affected customers of the breach and guiding them on steps they can take to reduce risk.