Kenya Data Commissioner Makes First Enforcement Move

On 5th of October 2022, the Office Data Protection Commissioner (“ODPC”) issued a public statement citing a raft of enforcement measures against 40 digital lenders and a leading healthcare provider. The move marks the first enforcement activity since the ODPC’s establishment. In this article, we consider the implications of the public notice issued by the ODPC. Q: What is the Office of the Data Protection Commissioner? A: An office set up under the Data Protection Act, 2019 (“The Act”) to regulate personal data processing in Kenya . The Data Commissioner heads the ODPC. Her powers include investigation of complaints made under the Act and imposition of fines.Q: Why did the ODPC put the digital lenders on notice? A: According to the notice, members of the public raised several complaints to the Data Commissioner regarding the lenders’ personal data processing practices. The notice did not specify the nature or bases of the complaints. However, we believe the complaints arise from the lenders’ use of data especially during debt collection. An earlier article we penned on this issue sheds further light on this. Since publishing the article, we have received numerous complaints from borrowers centered on privacy intrusive practices such as debt shaming, most of which we have referred to the ODPC.Q: What is the procedure for handling complaints? A: The Act and the Data Protection (Complaints Handling and Enforcement Procedures 2021) (“the Enforcement Regulations”) set out the procedure for handling complaints. In summary, upon receipt of a complaint, the Data Commissioner should notify the respondent of the complaint and require a response within twenty one days. If the respondent fails to respond, the Data Commissioner may take appropriate enforcement measures. Apart from inviting the respondent to make submissions, the Data Commissioner has power to investigate the complaint. This includes the power to summon persons to produce documents or give submissions on the complaint. Once the investigation ends, the Data Commissioner must make a determination based on the findings. The determination options include issuance of enforcement and penalty notices, dismissal of the complaint, recommendation for prosecution or an order for compensation to the data subject. Q: What enforcement action was proposed against digital lenders? A:  According to the notice, the ODPC shall conduct a preliminary documentary assessment and audit against 40 digital lenders listed in the notice. The Act does not define the term “preliminary documentary assessment and audit”. However, it gives the Data Commissioner the power to carry out periodical audits of the processes and systems of data controllers and processors to ensure compliance. Q:What does a documentary assessment and audit entail? A: Since the purpose of the audit is to determine the extent of compliance, the audit will most likely focus on the following aspects:- appropriateness of data protection policies in place lawful bases for processing personal data the extent to which automated data processing profiles borrowers and extent of borrower protection in these instances consent management ; how and when lenders seek consent to process personal data the extent of use of data protection impact assessments to comply with the Act evidence of staff training on data protection lender’s registration status Notably, the ODPC did not issue any official guidelines or regulations on the conduct of preliminary documentary assessments and audits.Q: If the outcome of the audit is negative, what are the likely consequences? A: The enforcement powers of the regulator as per the Act and the Enforcement Regulations include the power to issue enforcement notices, penalty notices, administrative fines or make orders for compensation of the complainants. Q: What is an enforcement notice? A: Under section 58 of the Act, the Data Commissioner has power to issue an enforcement notice to any person that fails to comply with the provision of the Act. The notice may be issued by email, physical delivery or by post. In terms of content, enforcement notices must specify the provision of the Act contravened and the requisite compliance requirements. In addition, the notice must specify a compliance period of not less than twenty one days. Finally, the notice must specify whether the person has any right to appeal. Q: What rights does a person have upon being issued with enforcement notices? A: A person served with an enforcement notice may apply for review of the notice in two instances. First, a review is possible on account of change of circumstances or where new facts have arisen. Additionally, a right to review arises if the failure outlined in the notice is curable without carrying out some of the requirements of the notice. Apart from review, a person has the right to appeal to the High Court, against any decision arising out of the enforcement notice. Such an appeal must be filed within thirty (30) days of the date of service of the enforcement notice.Q: What is a penalty notice? A: Where a person fails to comply with an enforcement notice, the Data Commissioner has power to issue a penalty notice. A penalty notice obliges the respondent to pay the Data Commissioner the administrative fine specified in the notice. The notice specifies the reasons for imposition of the fine. In addition, it also outlines payment modalities and the respondent’s right to appeal. The maximum amount leviable under the notice is Kes. 5,000,000/- one 1% of gross annual turnover whichever is lower. In addition, a penalty notice may impose a daily fine of not more than ten thousand shillings for each breach identified until the breach is rectified. Q: What enforcement action did the ODPC take against the healthcare provider? A: According to the public statement, the ODPC issued an Enforcement Notice against the healthcare provider for breaching the Kenya Data Protection laws. In particular, the ODPC stated that a patient raised a complaint to the effect that after visiting the hospital, staff inappropriately contacted him/her. The ODPC ordered the healthcare provider to take certain specific actions to mitigate or eliminate the breach within 30 days.Q: How will the complainants benefit from the enforcement measures? A: Apart..

5 Key Policies for Data Protection Compliance

Policy development is a key consideration for any organisation looking to comply with data protection laws. Data protection policies are a set of principles, rules and guidelines that define the goals of an organisation in terms of privacy compliance. They provide guidance on how to achieve compliance objectives. Apart from guidance, a sound privacy policy framework ensures consistency in data protection across your organisation, offers clarity on data protection obligations and promotes accountability within the business.This article is part of our ‘Roadmap to Data Protection Compliance’ series, which gives practical guidelines on how to comply with data protection laws and regulations. In this article, we outline the 5 basic data protection policies all organisations need to develop for compliance. Namely: Data Protection Policy Data Retention Policy Privacy Policy/Notice Information Security Policies Incident Response Policy/Plan 1. Data Protection Policy The first policy you need for privacy compliance is a Data Protection Policy. This is an internal policy which outlines your organisation’s approach to safeguarding personal data. It communicates to staff your expectations on how they should collect, use, disclose or otherwise process personal data. In addition, it enables an employer to communicate to staff the consequences of internal non-compliance. Through your data protection policy, you can address the following matters: First, the privacy governance structure within your organisation and the various roles and responsibilities assigned to each stakeholder. The data protection principles and the measures that you have put in place to comply with the principles Data subject rights handling including the mechanisms you have in place to receive and respond data subject rights Your expectations on matters such as data retention, data security, data breach prevention and response, direct marketing, etc. Any data protection measures that are unique to your business. For instance, a journalism company, health-related organisation, children organisation etc., will have a different approach to data protection than other business organisations. How staff should escalate privacy concerns within the organisation Lastly, the consequences of failing to comply with the policy 2. Data Retention Policies One of principles outlined under Section 25 of the Data Protection Act is storage limitation. This principle means that you should only keep personal information for as long as is necessary for the purposes of collection. Failing to define retention limits is a violation of the Act. A data retention policy is a set of guidelines that keep track of how long an organisation retains information and how to dispose of the information when it is no longer needed. Information here means both electronic/digital format as well as hard-copy format. In many cases, a retention policy covers all types of information processed within an organisation and does not necessarily confine itself to personal data. However, because the law mandates that personal data should not be retained indefinitely, you should the specify retention limits for personal data. The typical contents of a retention policy are: – Clear internal procedures for deletion and destruction The data kept in your organisation and the duration it is stored Justification for the retention period for each type of data A determination of which personal data should be backed-up and the duration of the back-up When defining retention periods for your data, consider the purpose for which you collected the information – If your lawful purposes for processing personal data still apply, you can continue to hold the data. However, when the purpose expires, consider your legal and regulatory requirements to retain data. For example, as evidence for tax and audits, or if necessary, in contemplation of potential lawsuits. Retention periods are not usually defined in data protection laws but you can refer to other relevant statutes e.g., the income tax Act or Companies Act. Moreover, consider whether you require the data for decision-making or business continuity e.g., AGM minutes or director and shareholder information. 3. Privacy Policies or Notices A Privacy Notice, commonly referred to as a Privacy Policy, communicates how an organisation safeguards the personal data it interacts with. It is sometimes confused for the Data Protection Policy. However, the key distinguishing factor between the two is that Data Protection Policy is an internal document addressed to staff within the organisation while Privacy Notices are outward facing policies directed at the individuals whose personal data is collected and processed by an organisation. A Privacy Notice can be directed at employees (Employee Privacy Notice), Website users (Website Privacy Notice), Clients or customers (Privacy Notice) etc.Privacy Notices typically contain: The identity and contact details of the data controller or processor, including contact details for your Data Protection Officer. An explanation of:- Why you collect and use personal data How you use and disclose the data How long you keep the data Your legal basis for processing. And any other special considerations e.g., regarding children’s data, health data, any International Transfers etc. Privacy Notices are the main platforms through which organisations communicate with data subjects on how they handle their personal data. Your business discharges its transparency obligation through these documents. Because your customers, clients, employees etc. heavily rely on your Privacy Notice, a misleading, incomplete, inaccessible or poorly worded document may result in massive fines, sanctions and reputational risks. This was the case in Facebook Inc. settlement against America’s Federal Consumer Protection Agency FTC where Facebook suffered huge financial and regulatory sanctions for deceiving its users on their privacy policy. To avoid this ensure your notices are accurate, clear and easy to understand especially for vulnerable groups like children. Further, ensure the notice is readily accessible to the reader at the relevant time i.e., before processing begins. 4. Information Security Policies Information Security Policies set out your organisation’s guidelines for detecting, preventing, and managing risks to business’ information. These risks include the loss, theft, copying, or any other derogation of information integrity. All the information you hold may be at risk of derogation including soft copy, hard copy or even oral information. Information security risks can originate internally or externally; and could be either malicious or accidental; No matter..

A Privacy Assessment: What it is and Why you need it

In our previous article, we shared our thoughts on the importance of baseline training and why it  should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits of having a sound privacy governance framework are: a. Facilitating data protection compliance An efficient governance framework guarantees that your organisation meets all its legal obligations under the current data protection laws. Through this framework your organisation can outline its compliance obligations and map out a path to compliance. Furthermore, you can set out a privacy accountability framework to ingrain a culture of data protection within the organisation. b. Promoting brand reputation An efficient privacy program also enhances your organisation’s reputation. If you misuse customer data you run the risk of severe backlash from your clients which in turn dents your corporate image. A case example is the 2016 data breach and subsequent cover-up at Uber Technologies Inc. which saw its customer perception rating drop by 141.3%. A large part of this market share was lost to rival company Lyft Inc. An elaborate privacy governance framework would shield your organisation against such risks. c. Adopting a proactive approach to data protection Merely adhering to the mandated data protection laws and regulations is a simplistic approach to privacy. Where an efficient governance framework is in place, the organisation advances from simply reacting to the laws to actively embracing data privacy and using it to your advantage. A proactive approach to data protection tailors your compliance strategy to the realities of your business. In addition, it allows you to foresee potential data risks and employ relevant mitigation strategies. d. Improving operational efficiency Another benefit of good privacy governance is improved operational efficiency in all functions that process data in the business. A privacy team is perfectly placed to identify and minimise unnecessary costs that arise from inefficient data processing. They can do this by minimising the duplication of roles, eliminating duplicated data that drives up storage costs etc. In doing so, the team would not only save your business money, but also optimise work flow. Key Considerations for your Privacy governance structure 1. The privacy vision and mission A privacy vision statement is an aspirational statement that articulates what the organisation would like to achieve regarding data protection. Through the vision statement, the company’s leadership communicates core privacy values to other stakeholders in the organisation. A mission statement is a succinct statement describing why a data privacy framework exists and the overall goals of the framework. ,Moreover, it describes some of the core principles embodied in the framework. Both these statements embed a culture of privacy within the organisation that enables compliance. When stated in outward-facing communications like privacy policies, they demonstrate to the public a care for their personal information thus reaping the benefits of trust and loyalty. A perfect example of this is Apple’s privacy mission statement which reads as follows: “Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.” 2. Data governance When crafting your privacy governance framework, you should deeply consider your organisation’s data governance system. Data governance is a system which defines what type of data is handled in your business, how it is handled, by whom, how it flows throughout the organisation etc. Personal data is the central focus of privacy compliance therefore your privacy governance framework should demonstrate a keen understanding of the data processing operations of your business. Using data maps and similar data tracking tools you can document the footprint of data from when it is collected and recorded to when it is erased and disposed. As a result, you paint a holistic picture of your organisation’s interaction with personal data which guides your privacy governance program. 3. Positioning the privacy governance function In addition, consider how your privacy function will fit within your current internal and external reporting structures. Privacy governance needs to be strategically domiciled in the business to oversee crucial data processing operations. To illustrate, complex organisations with several department heads may need decentralise privacy compliance so as to incorporate all the departments that process personal data in the organisation. Conversely, a small or mid-sized enterprise might centralise the function by assigning it one person such as the CEO. In so doing, any policies, protocols or orders that are issued can be easily tracked and implemented throughout the enterprise. Moreover, organisations with stringent statutory requirements like government agencies and multinational corporations will need to align their privacy framework to their legal reporting obligations. Basically, establishing a privacy governance framework requires a broad understanding of the upstream and downstream interaction of stakeholders and the process of decision-making and issue resolution within your organisation. 4. Resourcing your privacy governance function   a) Appointment of a Privacy Team Once you have conceptualised the privacy governance framework and defined its objectives, the next step is to appoint a team. Depending on the organisation’s needs, a single individual may manage the entire function or an all-inclusive team may take it up. The team may comprise of individuals skilled in data protection or of data privacy champions from different departments. The Data Protection Act recommends the appointment of a data protection officer(DPO)  for organisations that regularly or systematically process personal data or for those that handle sensitive personal data. However, any organisation may appoint a DPO to facilitate the privacy compliance process. The DPO must have relevant academic or professional qualifications in matters relating..

A Privacy Assessment: What it is and Why you need it

Conducting a privacy assessment is crucial to your data protection compliance journey. A privacy assessment is an in-depth evaluation of the personal data an organisation holds and its current data handling practices. Through this process you can identify the key privacy risks facing your organisation and the compliance gaps you need to fill. Privacy assessments involve two critical steps: data mapping and  gaps assessment. In this article, we consider the value of a privacy assessment to your privacy compliance program. We describe the best way to do this assessment in order to optimise your organisation’s compliance program. This article is part of our ongoing ‘Roadmap to Data Protection Compliance’ series which gives practical guidelines to businesses looking to comply with data protection laws. Previous articles in this series tackled initial training and sensitisation as a first step towards compliance and establishing a privacy governance framework as the second step. What is a privacy assessment? A privacy assessment is an analysis of how personal data is collected, used, shared, and maintained within an organisation. It is a risk management process that helps institutions identify the impact of their data processing operations on individuals’ privacy. Once data protection issues are identified, your organisation can develop remedial or mitigating actions to ensure compliance with data protection laws. Why conduct a privacy assessment? Privacy assessments give key privacy compliance stakeholders in your organisation a keen understanding of the personal data you collect and how it is processed. Privacy assessments can serve you in the following ways: – How to Carry out a Privacy Assessment There are two steps to carrying out a privacy assessment. The first is data mapping. A data map is a complete record or inventory of all the personal data processed in your organisation. This inventory provides an overview of how the data flows from its initial collection to the point it is erased. For a more in-depth look at how mapping supports privacy compliance click here. The second step is a gap analysis. This is a critical evaluation of all the data maps to identify data privacy gaps. In essence, you assess the extent of current compliance with data protection laws and regulations. You also identify the existing risks and data protection gaps in the processing of personal data in your organisation. Some best practices for privacy assessments include: Conclusion The privacy assessment process identifies all data protection gaps and privacy risk factors. We see how data has come into the organisation and how it moves, how it is used, how it is stored and secured and how it is finally erased. Your organisation can then implement the recommendations from the privacy assessment report, allowing you to develop an effective compliance program. Next week we continue with the ‘Roadmap to Data Protection Compliance‘ series by advising on the key policies required for data protection compliance.

4 Considerations for Privacy Governance

In our previous article, we shared our thoughts on the importance of baseline training and why it  should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits of having a sound privacy governance framework are: a. Facilitating data protection compliance An efficient governance framework guarantees that your organisation meets all its legal obligations under the current data protection laws. Through this framework your organisation can outline its compliance obligations and map out a path to compliance. Furthermore, you can set out a privacy accountability framework to ingrain a culture of data protection within the organisation. b. Promoting brand reputation An efficient privacy program also enhances your organisation’s reputation. If you misuse customer data you run the risk of severe backlash from your clients which in turn dents your corporate image. A case example is the 2016 data breach and subsequent cover-up at Uber Technologies Inc. which saw its customer perception rating drop by 141.3%. A large part of this market share was lost to rival company Lyft Inc. An elaborate privacy governance framework would shield your organisation against such risks. c. Adopting a proactive approach to data protection Merely adhering to the mandated data protection laws and regulations is a simplistic approach to privacy. Where an efficient governance framework is in place, the organisation advances from simply reacting to the laws to actively embracing data privacy and using it to your advantage. A proactive approach to data protection tailors your compliance strategy to the realities of your business. In addition, it allows you to foresee potential data risks and employ relevant mitigation strategies. d. Improving operational efficiency Another benefit of good privacy governance is improved operational efficiency in all functions that process data in the business. A privacy team is perfectly placed to identify and minimise unnecessary costs that arise from inefficient data processing. They can do this by minimising the duplication of roles, eliminating duplicated data that drives up storage costs etc. In doing so, the team would not only save your business money, but also optimise work flow. Key Considerations for your Privacy governance structure 1. The privacy vision and mission A privacy vision statement is an aspirational statement that articulates what the organisation would like to achieve regarding data protection. Through the vision statement, the company’s leadership communicates core privacy values to other stakeholders in the organisation. A mission statement is a succinct statement describing why a data privacy framework exists and the overall goals of the framework. ,Moreover, it describes some of the core principles embodied in the framework. Both these statements embed a culture of privacy within the organisation that enables compliance. When stated in outward-facing communications like privacy policies, they demonstrate to the public a care for their personal information thus reaping the benefits of trust and loyalty. A perfect example of this is Apple’s privacy mission statement which reads as follows: “Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.” 2. Data governance When crafting your privacy governance framework, you should deeply consider your organisation’s data governance system. Data governance is a system which defines what type of data is handled in your business, how it is handled, by whom, how it flows throughout the organisation etc. Personal data is the central focus of privacy compliance therefore your privacy governance framework should demonstrate a keen understanding of the data processing operations of your business. Using data maps and similar data tracking tools you can document the footprint of data from when it is collected and recorded to when it is erased and disposed. As a result, you paint a holistic picture of your organisation’s interaction with personal data which guides your privacy governance program. 3. Positioning the privacy governance function In addition, consider how your privacy function will fit within your current internal and external reporting structures. Privacy governance needs to be strategically domiciled in the business to oversee crucial data processing operations. To illustrate, complex organisations with several department heads may need decentralise privacy compliance so as to incorporate all the departments that process personal data in the organisation. Conversely, a small or mid-sized enterprise might centralise the function by assigning it one person such as the CEO. In so doing, any policies, protocols or orders that are issued can be easily tracked and implemented throughout the enterprise. Moreover, organisations with stringent statutory requirements like government agencies and multinational corporations will need to align their privacy framework to their legal reporting obligations. Basically, establishing a privacy governance framework requires a broad understanding of the upstream and downstream interaction of stakeholders and the process of decision-making and issue resolution within your organisation. 4. Resourcing your privacy governance function   a) Appointment of a Privacy Team Once you have conceptualised the privacy governance framework and defined its objectives, the next step is to appoint a team. Depending on the organisation’s needs, a single individual may manage the entire function or an all-inclusive team may take it up. The team may comprise of individuals skilled in data protection or of data privacy champions from different departments. The Data Protection Act recommends the appointment of a data protection officer(DPO)  for organisations that regularly or systematically process personal data or for those that handle sensitive personal data. However, any organisation may appoint a DPO to facilitate the privacy compliance process. The DPO must have relevant academic or professional qualifications in matters relating..

The First Step Towards Data Protection Compliance

Following the enactment of the Data Protection Act (the ‘Act’), 2019 and its supporting regulations, many organisations are gearing toward compliance. Privacy compliance has several aspects to it including determination of privacy governance structures; data mapping; privacy gaps assessments; development and implementation of policy and procedural frameworks; data security; and training & awareness. When embarking on the project, it is tempting to overlook initial training and sensitisation, but if properly executed it can guarantee the success of your compliance program. Let us consider some of the reasons why a privacy leader or manager should give priority to training and awareness as they develop a privacy compliance program.

Scope of the Kenya Data Protection Act

In the course of doing business, it is common to interact with personal data relating to clients, suppliers, contractors and employees. You must handle this information in accordance with privacy laws and regulations to avoid litigation, regulatory fines and sanctions or disrepute to the business. With the enactment of the Data Protection Act (the ‘Act’) and supporting regulations, many businesses are now revisiting their relationship with personal data. In this article, we consider the scope of application of the Act and how and when the exemptions apply.