Introduction

The digital world keeps growing every day and personal data has become one of the most valuable assets in the current world. From online shopping to social media to healthcare services, businesses collect massive amounts of data about individuals every day. Thus, leading to a dire need of ensuring that personal information/ data is not misused by the above entities.

The birth of the Data Protection Act, 2019 in Kenya marked a milestone to address or to safeguard data and also uphold the constitutional principle to protect citizens privacy rights. This article explains the Data Protection Act, 2019 in a simple yet a comprehensive way, focusing on what it means to businesses, legal practitioners, students and ordinary citizens.

Understanding what the Data Protection Act, 2019 is.

This law lays down a framework on how Kenyans personal data is collected, stored, used and shared within the jurisdiction of Kenya. It is an embodiment of globally agreed best practices on data protection particularly the European Union’s General Data Protection Regulation and aims to protect your personal data and privacy, accord you more control over your data and also providing structures on how to hold entities accountable for how they handle and use personal data collected from Kenyans.

What you need to know about the Data Protection Act as an Entrepreneur.

It is important to note that as an entrepreneur running an online shop, a hospital, a school or even a multinational investor within the territories of Kenya, this law requires you to:

  1. Get clear and informed consent from individuals before collecting their personal data. By informed, this law requires that an individual should be able to know what data is being collected, why it is needed, how it will be used and whether it will be shared.
  2. The subject business should be able to accord the individual whose data has been collected an opportunity to see it and make corrections where it is inaccurate in instances where they request for it.
  3. That individuals have the power to request for their personal data to be deleted if it is no longer needed by your business or if they at any point decide to withdraw their consent to have their personal data being used by the business.
  4. That business should adopt proper cybersecurity and internal policies to ensure that collected personal data is safeguarded from unauthorized access or breaches.
  5. Business handling large amounts of sensitive personal data are required to appoint Data Protection officer whose mandate is to ensure compliance of this Act.
  6. The Act restricts cross border transfer of data by requiring that before cross border transfer is done, the business should put all measures necessary to ensure that the recipient country has a clear legal framework on data protection or if not so should obtain a special consent.

Consequences of not complying with the requirements of the Data Protection Act, 2019

The Data Protection Act has established the office of the Data Protection Commissioner who is in charge of enforcing the Act. The act further defines penalties for non-compliance raging from fines of up to Kshs. 5 million or 1% of the business annual turnover (whichever is lower); a legal action against the company or loss of the business operating license or a reputational damage that can affect customer trust.

Steps Businesses can take to comply with the Data Protection Act 2019

  1. Ensure that the business knows the type of personal data you collect, where it is stored and who has access to the subject data.
  2. Ensure that the consent forms and privacy policies are regularly reviewed to ensure that people can understand them and they clearly outline the User’s rights.
  3. Ensure that the employees receive adequate training on data protection practices and responsibilities.
  4. Ensure that you implement adequate security measures to protect collected data for example use of firewalls, encryption and secure storage systems.
  5. If your business is processing or handling large volumes or sensitive categories of data, you should appoint a Data Protection Officer.
  6. All data breach occurrences within the business should be reported to the office of the Data Protection Commissioner within 72 hours.

The Data Protection Act, 2019 Special considerations for Startups & Small and Medium-sized Enterprises

For these types of enterprises, compliance with the Act may be overwhelming. However, it is important to note that they should not ignore they are regulated by the act. For this reason, we encourage them to take adequate steps towards compliance for example reaching to the Office of the Data Protection Commissioner for guidance on compliance. This will not only help the business on the compliance aspect but also builds customer trust which is places you above your competitors in the same field.

Our Final thoughts on the Data Protection Act, 2019

The spirit of the Data Protection Act, 2019 is more on respecting peoples’ rights specifically the right to privacy and control over their individual data while building trust in Kenya’s digital economy. The Act also ensures legal compliance for all entrepreneurs handling peoples’ data by making it a requirement.  

Disclaimer: This article is for informational purposes only and does not constitute legal advice. You should consult with a qualified legal professional for advice on your specific situation.