The Data Protection Act, 2019 – What next for businesses?

 In Data Protection, Legislation

Over the last few years there has been a lot of talk about the need to legislate on the right to privacy and data protection. It was hoped that such legislation would deal with unfettered surveillance capitalism, protect citizens against unwarranted state surveillance and offer a reasonable level of privacy to all. However, for entities engaged in the business of big data or profiting from surveillance capitalism a law defining the right to privacy and data protection only spelt doom for their profitability. An unregulated data governance environment seemed the less expensive option for businesses. This said, the Data Protection Act, 2019 comes into operation on 25th November 2019.

Now that the law is here with us, what does it mean for your businesses operating in Kenya or you engaging in business that derives data from Kenya? In a nutshell, the law regulates the collection, processing, storage and transfer of data within Kenya or derived from Kenya; it grants persons rights and power over their data; it will provide for data thresholds within which entities must be registered with the Data Protection Commissioner; it mandates entities to appoint data protection officers; it requires entities to regularly undertake data protection impact assessments; and provides a dispute resolution process relating to data protection.

Hopefully you had read the writing on the wall and prepared your business for the inevitable – a data protection law. With the General Data Protection Regulation operation in the European Union setting the template for model data protection laws, it is inevitable that States around the globe will enact data protection regulations. Further, with constant talk of a digital economy that is data driven, there was a need to regulate data governance.

So how do you prepare or ensure long term compliance with the Data Protection Act, 2019?

One, it is important that businesses do create the culture of data protection. Not only for personal data that is regulated under the Act, but also for data that relates to business operations, trade secrets, financial data, human resource data et cetera. This means that all employees must be well versed with the law and play an integral part in its implementation. Businesses must analyse and categorise data that they deal with. In jurisdictions that have data protections laws, businesses often assume that data protection is the responsibility of the data protection officer only. Nothing is further from the truth than this as far as data protection and governance is concerned.

Two, businesses should consider internalising the law through institutional data protection policies that will bind all staff, employees and agents. Such policies would form part of the employment/service contracts offered by the business. This provides a somewhat higher level of commitment towards data protection.

Three, consider initiating the processes to appoint/hire a data protection officer. Though the language in the Act does not couch this in mandatory terms, it is instructive that if a business is engaged in large scale data processing, that it does have a data protection officer. This officer who may have other roles within the business will essentially ensure that the Data Protection Act is always complied with. However, it is key that this individual possesses the relevant knowledge and skills fit for the role.

Four, develop standard operating procedures (SOPs) in relation to data processing for your business. SOPs will clearly define how within your business environment your business will undertake data collection, processing, storage and transfer. Also, SOPs will provide for practical mechanisms to deal with data security, retention, deletion and disputes.

Finally, carry out a data protection impact assessment to know where your business stands in terms of data protection and what you need to do to ensure compliance with the Data Protection Act, 2019. The assessment delves into all the operations of the business to inquire the level of data use and handling.

The above steps will ensure that your business is not legally exposed to the possibility of legal challenges due to non-compliance with the Act.

~The writer can be reached via [email protected]

Recent Posts
Showing 2 comments
  • stigmeista
    Reply

    Wakili, this is good!

  • Michael
    Reply

    Well articulated Ole. Possibly, this would be the first step? “ Finally, carry out a data protection impact assessment…”

    Mike

Leave a Comment