The Data Protection Bill, 2019, is officially a law! The president of the Republic of Kenya, HE Uhuru Kenyatta signed the bill into law on the 8th November 2019, marking a milestone into Kenya Data handling and processing.
The purpose of the Act is to among other things, regulate the collection and processing of data in Kenya. It introduces elaborate obligations to persons who collect and process data whose infringement would lead to stiff penalties of an administrative fine of up to KES 5 million or in case of an undertaking, up to 1% of its annual turnover of the preceding year or whichever is lower.
Robert Nyamu, the Digital Solutions, Financial Services and Risk Advisor Leader in East Africa at Ernst and Young talked to CIO East Africa, demystifying the implications of the new law and why it could not come at a better time.
Robert quickly points out that it is a robust and extraterritorial application in a law as it applies to data controllers and processors, within or outside Kenya in so far as they process personal data while in Kenya or of data subjects located in Kenya. The signing of the act is quite a significant milestone in bringing quality, direction and clarity to data protection and privacy matters.
"The Act establishes the office of a Data Protection Commissioner which is to be headed by a Data Commissioner," Nyamu points out. Adding; "The Data Protection Commissioner is obligated to implement the Act, establish and maintain a register of data controllers and data processors, exercising oversight on data processing operations and receiving/ investigating any complaint by any person on infringement of the rights under the Act."
It has been waited for a long time in Kenya and is the first critical milestone in giving good policy direction within the country across many sectors in terms of data protection and in the rights of the citizen. And albeit a critical first step, there are a number of other steps that need to follow like guidelines spelling out the specific details around how this will happen.
The Data commissioner
The new law opens for the position of a data regulator called commissioner, who will look at data and its handlers simply called processors. It allows for entities to appoint a single data protection officer provided that the officer is accessible by each entity.
The office of the data commissioner will be empowered to drive very clear policies and regulations in terms of how data is governed and protected within the context of Kenya and helping to classify the importance of data.
"The Data Commissioner may carry out periodical audits of the processes and systems of the data controllers or data processors to ensure compliance with the Act," Nyamu avers. "The law further allows data controllers and data processors to appoint a data protection officer who may be a staff member whose role includes advising on compliance with the Act."
Processing of data is thereby prohibited unless under set conditions laid out in the Act, including the obtainment of the consent of the person whose data is processed are fulfilled. In addition, the processing of sensitive personal data is prohibited except for the stipulated permitted grounds. Further, personal data relating to the health of a person may only be processed by or under the responsibility of a health-care provider; or by a person subject to the obligation of professional secrecy under any law.
The Act outlines the principles of data protection which are modelled on the principles set out in the EU General Data Protection Regulation. It further stipulates the rights of persons whose data is collected, including the right to:
be informed of the use to which their personal data is to be put
access personal data in custody of a data controller or data processor
correction of false or misleading data and deletion of false or misleading data about data owners.
"It is a very significant milestone and we are very excited about it. We however urge the stakeholders to fast track the process of the office of the data commissioner set up and the guidelines to finally have a full framework of data governance in the country." Robert Nyamu.
The Act also outlines the conditions for the transfer of personal data outside of Kenya and stipulates that a person data shall not be used for commercial purposes, unless with obtainment of consent from the person whose data is to be used.
Before the bill was proposed and later signed into law, as Nyamu recounts, Kenyans used tads and pieces of legislations sitting with individual regulation bodies for example the insurance and banking industries drew references from Acts that contemplated how data could be treated and used guidance notes from Central Bank of Kenya and Insurance Regulatory Authority.
"The data commissioner as shall be appointed, must have the experience and gravitas in handling governance matters because this is a critical role to ensure that no more data abuse is perpetrated. Idea contribution from the stakeholders as to what they'd like to see in the guidelines is vital," he adds.
Implications of the new law
The new law sums up the pieces as the apex regulator for data and its handling; it is a comprehensively rich and well structured law, similar to the General Data Protection Regulation in Europe and POPI act in South Africa.
"Companies that operate regionally may have to adopt to the Kenyan law as it is the most superior regionally so as to avoid potential fines in the future. So to ideally bring all the subsidiary companies to comply with the standards of the new law," he adds.
This law will address the abuses of privilege around handling of data. Formerly and without this law, data handling was a free for all where there was not a clear policy and/ or regulatory direction about whether someone could handle, sell, move someone else's data without their consent or not. Companies mined, manipulated and basically processed data in malicious ways usually without data owners consent but could not be apprehended for lack of a proper stipulation about the same.
Such culprits went scot free for arguing there was no law inhibiting such illegal processing of data then and law cannot be applied retrospectively, but now since there is a law, such violations shall be punishable as spelt in the law.
"Going forward, anyone that handles data against the provisions of the Act- abuses of data in collection, processing, handling and sharing- shall be held liable." Robert Nyamu. "The impact of this Act is that persons who collect, control, manage and store data will need to review their terms and conditions and operations to avoid the risks of non-compliance."
If the guidelines are spelled out in the right way, it will attract a lot of big investors and big technology giants.
In terms of implementation cost, Nyamu is uncertain about the exact figures for spending but advises the Kenyan taxpayers to brace for a spend towards the same. is difficult to put an estimate we need to first draw up an organogram of what the office will be structured like.
"The commissioner, he notes, must appoint few other people to work with, whose recruitment can commence at a more granular level. Once the act is operationalized, data collection and analysis teams will deploy technology to ensure successful operations, concludes Nyamu, adding; "The full operationalization of this act may take two to three years."