The Business Case for Data Protection
Businesses get edgy when new policies and laws having an impact on their profitability are enacted. From the outset the question is whether there is really a need for the new laws; businesses look at the cost of compliance and non-compliance. Simply put, new laws potentially present an added cost to the business. Others would argue that new laws to regulate business processes have negative impact on the ease to doing business and reduce investment opportunities. Few people wish to set up business in an overly regulated environment. Perhaps, it is due to these reasons that it took Kenya more than a decade to debate and enact the Data Protection Act.
Granted, many businesses thrive on the data economy, their business models are largely based on the unfettered access and trading in data, especially personal data. Businesses around the online economy, social media, telecommunications, market research, retail, advertising, health, philanthropy and education would not thrive without the unregulated opportunity to collect, analyse, transfer and trade in personal data.
I have researched, written and trained individuals on data protection and governance for a while now, plus, I have carried out data governance audits for private, public, regional and intergovernmental bodies. From my experience, there is scant understanding of the concepts of personal data protection and institutional data governance. Often at the beginning of a data governance audit or drafting institutional data governance policies, I am referred to the IT department. The common phrase is ‘talk to the IT guys, they are the ones who deal with data’. From this kind of institutional thinking, it becomes a task to convince other departments that they have an integral role to play in personal data protection and data governance generally within the institution and that they too are involved in processing of data.
In view of this, is there a business case for data protection and data governance strategies?
It is instructive to bear in mind Article 31 of the Constitution which provides that every person has the right to privacy which includes the right not to have one’s information relating to family or private affairs unnecessarily required or revealed or having privacy of one’s communications revealed. Data protection and governance is premised on this provision of the Constitution. Compliance with data protection laws is protecting, respecting and promoting the individual right to privacy. However, notwithstanding the existence of data protection laws, individuals may file suits against businesses to enforce their constitutional right to privacy.
Another key issue to bear in mind is that how a business governs personal data has a reflection on how it handles its institutional data. Personal data as per the Data Protection Act, 2019 refers to information relating to an identified or identifiable natural person, that is a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or social identity. My definition of institutional data is data relating to or about the institutional including but not limited to finance, human resource, legal, business operations, research and development, sales, marketing and chains of supply information.
Often, while carrying out a data governance audit, I realise that institutions that have little regard to the protection of personal data also have poor institutional data protection protocols. One can easily access, analyse and transfer their data. The institution is vulnerable to corporate espionage and data breaches. Such institutions lack data security strategies.
It is beneficial for a business to, one, map out the kind of personal and institutional data it processes. Two, rank the data in order of priority in relation to processing and access. Three, adopt data security strategies that will not only protect the personal data being processed but also crucial institutional data. Four, shareholders, board members, employees and agents of an institution forget that their personal data is also at risk if the institution is vulnerable; data protection strategies are not only beneficial for the business but also for the people working for or with the business. Five, an institution can map out which institutions within their chains of supply adopt data governance protocols and identify what data to transfer to them and whether such data will be secure.
Businesses tend to process all kinds of data. Compliance with data protection laws enable a business to map out all the data it processes and identify which data is key for the business as stated above. In effect, resources are only applied to processing of relevant data, reducing business costs.
Data protection has gained notoriety around the world. The European Union General Data Protection Regulation (GDPR) has generally provided the template for data protection laws in many countries. Even in Kenya, the Data Protection Act mirrors principles enshrined in the GDPR. For businesses with operations in the European Union, compliance with the GDPR is not optional. With more countries adopting data protection laws, it is instructive for businesses to note that data protection is here for the long haul.
Putting in place institutional data governance policies creates an institutional culture of personal data and institutional data protection. It deals with the risks stated above and key to the business, reduces the legal risk of non-compliance with data protection laws. Increasingly, data protection authorities are cracking the whip and issuing hefty fines to institutions that do not comply with data protection laws. Further, having a designated data protection officer either as an employee of the business or as a consult enables a business to identify and address data protection risks for both personal and institutional data.
In conclusion, businesses should realise that data protection strategies are crucial for the health of their business. Having shareholders, management, staff and agents sign non-disclosure agreements is insufficient to shield the business from the perils of non-compliance with data protection laws.