It has been five years since Kenya introduced its first data protection law, a critical step towards promoting privacy and protecting personal information. The Data Protection Act sets out clear obligations for organisations that collect and process personal data. Over the past two years, the Office of the Data Protection Commissioner has taken several enforcement actions against violators of the Act, including imposing fines and awarding compensation to affected data subjects. One of the key departments responsible for ensuring compliance is HR, which plays a pivotal role in managing employee data. HR professionals must ensure data privacy compliance to at every stage of the employee lifecycle. Beyond compliance, they must also address the growing threat of cyberattacks targeting sensitive employee information, all while fostering a culture of privacy and trust within their organisations.While many HR professionals are familiar with the basics of data protection, emerging challenges and nuanced obligations under the law require a deeper understanding. Here are five key emerging data protection considerations for HR professionals: 1. Deleting Data Doesn’t Mean It’s Gone When HR teams delete resumes, contracts, or other employee records, it is often assumed that the data is gone for good from the IT systems. However, in many cases, fragments of this information can linger in backup systems, shared folders, or archived databases. These remnants, if not properly managed, could become a compliance risk or a target for cybercriminals. Compliance Tips Establish robust data retention and deletion policies that align with legal and organisational requirements. Use secure deletion tools designed to permanently erase data from all systems, including backups and cloud storage. Conduct regular audits to identify and eliminate residual or unnecessary data that may no longer serve a lawful purpose. 2. Employee Monitoring Must Balance Privacy and Compliance Employee monitoring tools are increasingly being used to track productivity and ensure compliance with workplace policies, especially in remote and hybrid work environments. While these tools can offer valuable insights, they also introduce privacy concerns that HR professionals must carefully address. Excessive monitoring or a lack of transparency can lead to legal liabilities and erode trust within the organiaation. HR professionals must strike a balance between monitoring for legitimate business purposes and respecting employees’ privacy rights. The Kenya Data Protection Act emphasises the importance of proportionality and transparency by requiring organisations to inform employees about monitoring practices and obtain consent where necessary. Compliance Tips Define clear policies outlining the scope and purpose of employee monitoring, ensuring these align with data protection laws. Communicate monitoring policies transparently to employees, fostering a culture of openness and trust. Regularly review monitoring practices to ensure they remain necessary, proportionate, and compliant with evolving legal standards. 3. Background Checks must Comply with Privacy Requirements HR professionals must ensure that background checks are conducted in a lawful, ethical manner, tailored to the specific requirements of each role. They should also be careful to collect only the necessary information, avoiding any intrusion into employees’ privacy. In addition, the HR department must have clear processes in place to manage and respond to requests for background check information effectively. Compliance Tips Tailor background checks to the role’s requirements, ensuring compliance with both local and international data protection laws. Obtain clear and informed consent from candidates before initiating any checks. Establish robust policies for securely handling, storing, and disposing of information obtained during the screening process. 4. Cybersecurity Risks can Affect HR Data Too! HR departments are prime targets for cybercriminals due to the large amounts of sensitive personal data they manage. Threats like phishing attacks targeting payroll information and ransomware aimed at employee records are on the rise, presenting significant risks. Cybersecurity should be as much a priority for HR as it is for the IT department. Compliance Tips Train HR staff to recognise phishing attempts and adopt cybersecurity best practices. Implement advanced security measures, such as encryption, multi-factor authentication, and role-based access controls for HR systems. Work closely with IT teams to regularly test and update security protocols, ensuring they can withstand emerging threats. 5. The Right to be Forgotten: Managing Ex-Employee Data Requests Under the Data Protection Act, individuals, including former employees, have the right to request the deletion of their personal data. However, HR professionals must balance this right with legal requirements to retain certain records for compliance purposes, such as tax and employment law regulations. Mishandling these requests can lead to non-compliance or operational risks. HR departments need clear procedures for managing data deletion requests while ensuring that statutory obligations are met. Transparency and thorough documentation are key to navigating this complex requirement effectively. Compliance Tips Establish a formal process for handling data deletion requests, including clear timelines and escalation procedures. Identify and segregate records that must be retained for legal or regulatory purposes from data that can be securely deleted. Maintain an audit trail of deletion requests and actions taken to demonstrate compliance with legal requirements. In conclusion, HR professionals are key to ensuring data protection compliance and safeguarding employee information. By staying informed, implementing clear policies, and taking proactive steps, HR can manage data privacy effectively while building trust within the organisation. Contact us today to learn how we can support your HR team in managing data privacy risks and ensuring compliance with the latest regulations.
Latest Posts
Recent ODPC Decisions on the use of Personal Photos & Videos in Kenya
In recent years, Kenya has witnessed significant developments in data protection. One key development has been the commitment to safeguarding personal and sensitive information, which is underscored by the enforcement actions taken by the Office of the Data Protection Commissioner (ODPC). Specifically, the ODPC has established mechanisms for receiving and determining complaints related to data protection. We have been tracking decisions taken by the ODPC with the aim of understanding the impact of the decisions on our clients’ operations. Below is a highlight of the key decisions: In the case of Liburuwen Lesanguru Kweri v Beehive Media Limited, [ODPC Complaint No. 0740 of 2023], Beehive Media Limited (Beehive”), was contracted by Capwell Industries Limited to provide advertising services for their maize flour products (“Soko” and “Amaize”). In executing its mandate, Beehive obtained an image from a public and royalty free image repository known as Shutterstock for use in a Father’s Day campaign. It was not in dispute that the image was obtained from Shutterstock and that there was no express consent from the data subject for use of the image. In its defence, Beehive stated that: – The ODPC determined that Beehive’s action of using an individual’s stock image for advertisements without their express consent violated their rights. However, the ODPC dismissed the complaint on the basis that Beehive had taken immediate steps to resolve the matter including pulling down the advertisements in dispute, terminating the contract they had with Shutterstock Inc., and reaching out to the data subject to try and settle the matter amicably. In the case of Isaya Lemerketo v Kenya School of Law [ODPC Complaint No. 0608 of 2023], The Kenya School of Law (“School”) made flyers featuring the complainant’s image and distributed them on their social media platforms (Instagram, Facebook & Twitter) and hardcopy marketing collateral without his consent. Upon receipt of the complaint, the School withdrew the flyers within 24 hours, took down the social media posts and communicated its actions to the data subject. The ODPC determined that the School’s action of using a person’s image without their consent violated his rights over his image. However, the ODPC commended the immediate actions taken by the School to resolve the matter and marked the complaint as resolved. In Edith Andeso v Olerai Schools Limited, [ODPC Complaint No. 725 of 2023], Olerai Schools Limited (“School”). Prior to termination of employment, the complainant was a full-time teacher at the School. After she was terminated, she raised a complaint that the School took photos of her and posted them on the School’s Facebook page without her consent. She further asserted that the photo created a perception that she was a member of the School thereby limiting her employment options. In its defence, the School stated that: – The ODPC determined that the complainant had knowledge of the purpose and context in which the photos were to be used and by her clear affirmative action, she consented to the processing of her personal data by the School. Therefore, the ODPC dismissed the complaint. In the case of Christine Wairimu Muturi v Roma School Uthiru, [ODPC Complaint No. 0841 of 2023], the complainant alleged that she was a parent at Roma School, Uthiru and that the School had processed images of pupils (minors) on TikTok, without the express consent of their parents or guardians. The School created a WhatsApp group through which it informed parents of its intention to publish minors’ images and videos on TikTok. This action prompted the parents to raise objections and leading to the filing of the complaint. In its response to the Data Commissioner, the School stated, without producing evidence that: – The Data Commissioner conducted independent investigations and determined that the respondent operates a TikTok and Facebook page on which it posted images and videos of pupils. As result, the Data Commissioner held that the School had failed to abide by the requirements of the Data Protection Act including the principles of data protection and protecting the rights of minors by seeking consent. The Commissioner issued an Enforcement Notice and a Penalty Notice and fined the School the sum of Kenya Shillings Four Million, Five Hundred Thousand (Kes. 4, 500,000/-) In the case of Abdinur Kassim & Luqman Hussein Kassim (Minor suing through his father and next friend) v Joyce Njoki Ngugi T/A Kora Spa [ODPC Complaint No. 0660 of 2023], the complainant alleged that the respondent processed the personal information relating to the minor for commercial purposes without consent of the data subject and minor’s guardian. The complainant visited the respondent’s place of business at Fedha Business Park Embakasi with the sole purpose and intention of obtaining barber services. While receiving the services, agents of the respondent took their photographs, without offering any explanation. Five days after their visit, the complainants discovered that the respondent had published the photographs on Facebook and Instagram without their consent. In response, the respondent denied the complainant’s allegations and stated that: The ODPC determined that posting the images on the respondent’s social media pages amounted to commercial use of personal data which required consent. The respondent failed to demonstrate that they had obtained the express consent of the complaint and his guardian. Further, the ODPC was unable to establish how long the images remained online after publication and before being pulled down. Therefore, the ODPC issued the respondent with an Enforcement Notice. In the case of Perpetual Wanjiku v Casa Vera Lounge, [ODPC Complaint No. 0607 of 2023], the Respondent, a popular bar and restaurant joint, captured images of the data subject and featured them on their Facebook, Instagram and WhatsApp platforms without her consent . The Complainant filed a complaint alleging breach of privacy. In response to the complaint, the respondent stated that: – The ODPC conducted a site visit and ascertained that the notice was not visible to customers upon their entry to the respondent’s premises. As such, it was not considered to be sufficient notice as envisaged in the Act. Consequently, the..
Kenya Data Commissioner Makes First Enforcement Move
On 5th of October 2022, the Office Data Protection Commissioner (“ODPC”) issued a public statement citing a raft of enforcement measures against 40 digital lenders and a leading healthcare provider. The move marks the first enforcement activity since the ODPC’s establishment. In this article, we consider the implications of the public notice issued by the ODPC. Q: What is the Office of the Data Protection Commissioner? A: An office set up under the Data Protection Act, 2019 (“The Act”) to regulate personal data processing in Kenya . The Data Commissioner heads the ODPC. Her powers include investigation of complaints made under the Act and imposition of fines.Q: Why did the ODPC put the digital lenders on notice? A: According to the notice, members of the public raised several complaints to the Data Commissioner regarding the lenders’ personal data processing practices. The notice did not specify the nature or bases of the complaints. However, we believe the complaints arise from the lenders’ use of data especially during debt collection. An earlier article we penned on this issue sheds further light on this. Since publishing the article, we have received numerous complaints from borrowers centered on privacy intrusive practices such as debt shaming, most of which we have referred to the ODPC.Q: What is the procedure for handling complaints? A: The Act and the Data Protection (Complaints Handling and Enforcement Procedures 2021) (“the Enforcement Regulations”) set out the procedure for handling complaints. In summary, upon receipt of a complaint, the Data Commissioner should notify the respondent of the complaint and require a response within twenty one days. If the respondent fails to respond, the Data Commissioner may take appropriate enforcement measures. Apart from inviting the respondent to make submissions, the Data Commissioner has power to investigate the complaint. This includes the power to summon persons to produce documents or give submissions on the complaint. Once the investigation ends, the Data Commissioner must make a determination based on the findings. The determination options include issuance of enforcement and penalty notices, dismissal of the complaint, recommendation for prosecution or an order for compensation to the data subject. Q: What enforcement action was proposed against digital lenders? A: According to the notice, the ODPC shall conduct a preliminary documentary assessment and audit against 40 digital lenders listed in the notice. The Act does not define the term “preliminary documentary assessment and audit”. However, it gives the Data Commissioner the power to carry out periodical audits of the processes and systems of data controllers and processors to ensure compliance. Q:What does a documentary assessment and audit entail? A: Since the purpose of the audit is to determine the extent of compliance, the audit will most likely focus on the following aspects:- appropriateness of data protection policies in place lawful bases for processing personal data the extent to which automated data processing profiles borrowers and extent of borrower protection in these instances consent management ; how and when lenders seek consent to process personal data the extent of use of data protection impact assessments to comply with the Act evidence of staff training on data protection lender’s registration status Notably, the ODPC did not issue any official guidelines or regulations on the conduct of preliminary documentary assessments and audits.Q: If the outcome of the audit is negative, what are the likely consequences? A: The enforcement powers of the regulator as per the Act and the Enforcement Regulations include the power to issue enforcement notices, penalty notices, administrative fines or make orders for compensation of the complainants. Q: What is an enforcement notice? A: Under section 58 of the Act, the Data Commissioner has power to issue an enforcement notice to any person that fails to comply with the provision of the Act. The notice may be issued by email, physical delivery or by post. In terms of content, enforcement notices must specify the provision of the Act contravened and the requisite compliance requirements. In addition, the notice must specify a compliance period of not less than twenty one days. Finally, the notice must specify whether the person has any right to appeal. Q: What rights does a person have upon being issued with enforcement notices? A: A person served with an enforcement notice may apply for review of the notice in two instances. First, a review is possible on account of change of circumstances or where new facts have arisen. Additionally, a right to review arises if the failure outlined in the notice is curable without carrying out some of the requirements of the notice. Apart from review, a person has the right to appeal to the High Court, against any decision arising out of the enforcement notice. Such an appeal must be filed within thirty (30) days of the date of service of the enforcement notice.Q: What is a penalty notice? A: Where a person fails to comply with an enforcement notice, the Data Commissioner has power to issue a penalty notice. A penalty notice obliges the respondent to pay the Data Commissioner the administrative fine specified in the notice. The notice specifies the reasons for imposition of the fine. In addition, it also outlines payment modalities and the respondent’s right to appeal. The maximum amount leviable under the notice is Kes. 5,000,000/- one 1% of gross annual turnover whichever is lower. In addition, a penalty notice may impose a daily fine of not more than ten thousand shillings for each breach identified until the breach is rectified. Q: What enforcement action did the ODPC take against the healthcare provider? A: According to the public statement, the ODPC issued an Enforcement Notice against the healthcare provider for breaching the Kenya Data Protection laws. In particular, the ODPC stated that a patient raised a complaint to the effect that after visiting the hospital, staff inappropriately contacted him/her. The ODPC ordered the healthcare provider to take certain specific actions to mitigate or eliminate the breach within 30 days.Q: How will the complainants benefit from the enforcement measures? A: Apart..
5 Key Policies for Data Protection Compliance
Policy development is a key consideration for any organisation looking to comply with data protection laws. Data protection policies are a set of principles, rules and guidelines that define the goals of an organisation in terms of privacy compliance. They provide guidance on how to achieve compliance objectives. Apart from guidance, a sound privacy policy framework ensures consistency in data protection across your organisation, offers clarity on data protection obligations and promotes accountability within the business.This article is part of our ‘Roadmap to Data Protection Compliance’ series, which gives practical guidelines on how to comply with data protection laws and regulations. In this article, we outline the 5 basic data protection policies all organisations need to develop for compliance. Namely: Data Protection Policy Data Retention Policy Privacy Policy/Notice Information Security Policies Incident Response Policy/Plan 1. Data Protection Policy The first policy you need for privacy compliance is a Data Protection Policy. This is an internal policy which outlines your organisation’s approach to safeguarding personal data. It communicates to staff your expectations on how they should collect, use, disclose or otherwise process personal data. In addition, it enables an employer to communicate to staff the consequences of internal non-compliance. Through your data protection policy, you can address the following matters: First, the privacy governance structure within your organisation and the various roles and responsibilities assigned to each stakeholder. The data protection principles and the measures that you have put in place to comply with the principles Data subject rights handling including the mechanisms you have in place to receive and respond data subject rights Your expectations on matters such as data retention, data security, data breach prevention and response, direct marketing, etc. Any data protection measures that are unique to your business. For instance, a journalism company, health-related organisation, children organisation etc., will have a different approach to data protection than other business organisations. How staff should escalate privacy concerns within the organisation Lastly, the consequences of failing to comply with the policy 2. Data Retention Policies One of principles outlined under Section 25 of the Data Protection Act is storage limitation. This principle means that you should only keep personal information for as long as is necessary for the purposes of collection. Failing to define retention limits is a violation of the Act. A data retention policy is a set of guidelines that keep track of how long an organisation retains information and how to dispose of the information when it is no longer needed. Information here means both electronic/digital format as well as hard-copy format. In many cases, a retention policy covers all types of information processed within an organisation and does not necessarily confine itself to personal data. However, because the law mandates that personal data should not be retained indefinitely, you should the specify retention limits for personal data. The typical contents of a retention policy are: – Clear internal procedures for deletion and destruction The data kept in your organisation and the duration it is stored Justification for the retention period for each type of data A determination of which personal data should be backed-up and the duration of the back-up When defining retention periods for your data, consider the purpose for which you collected the information – If your lawful purposes for processing personal data still apply, you can continue to hold the data. However, when the purpose expires, consider your legal and regulatory requirements to retain data. For example, as evidence for tax and audits, or if necessary, in contemplation of potential lawsuits. Retention periods are not usually defined in data protection laws but you can refer to other relevant statutes e.g., the income tax Act or Companies Act. Moreover, consider whether you require the data for decision-making or business continuity e.g., AGM minutes or director and shareholder information. 3. Privacy Policies or Notices A Privacy Notice, commonly referred to as a Privacy Policy, communicates how an organisation safeguards the personal data it interacts with. It is sometimes confused for the Data Protection Policy. However, the key distinguishing factor between the two is that Data Protection Policy is an internal document addressed to staff within the organisation while Privacy Notices are outward facing policies directed at the individuals whose personal data is collected and processed by an organisation. A Privacy Notice can be directed at employees (Employee Privacy Notice), Website users (Website Privacy Notice), Clients or customers (Privacy Notice) etc.Privacy Notices typically contain: The identity and contact details of the data controller or processor, including contact details for your Data Protection Officer. An explanation of:- Why you collect and use personal data How you use and disclose the data How long you keep the data Your legal basis for processing. And any other special considerations e.g., regarding children’s data, health data, any International Transfers etc. Privacy Notices are the main platforms through which organisations communicate with data subjects on how they handle their personal data. Your business discharges its transparency obligation through these documents. Because your customers, clients, employees etc. heavily rely on your Privacy Notice, a misleading, incomplete, inaccessible or poorly worded document may result in massive fines, sanctions and reputational risks. This was the case in Facebook Inc. settlement against America’s Federal Consumer Protection Agency FTC where Facebook suffered huge financial and regulatory sanctions for deceiving its users on their privacy policy. To avoid this ensure your notices are accurate, clear and easy to understand especially for vulnerable groups like children. Further, ensure the notice is readily accessible to the reader at the relevant time i.e., before processing begins. 4. Information Security Policies Information Security Policies set out your organisation’s guidelines for detecting, preventing, and managing risks to business’ information. These risks include the loss, theft, copying, or any other derogation of information integrity. All the information you hold may be at risk of derogation including soft copy, hard copy or even oral information. Information security risks can originate internally or externally; and could be either malicious or accidental; No matter..
A Privacy Assessment: What it is and Why you need it
In our previous article, we shared our thoughts on the importance of baseline training and why it should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits of having a sound privacy governance framework are: a. Facilitating data protection compliance An efficient governance framework guarantees that your organisation meets all its legal obligations under the current data protection laws. Through this framework your organisation can outline its compliance obligations and map out a path to compliance. Furthermore, you can set out a privacy accountability framework to ingrain a culture of data protection within the organisation. b. Promoting brand reputation An efficient privacy program also enhances your organisation’s reputation. If you misuse customer data you run the risk of severe backlash from your clients which in turn dents your corporate image. A case example is the 2016 data breach and subsequent cover-up at Uber Technologies Inc. which saw its customer perception rating drop by 141.3%. A large part of this market share was lost to rival company Lyft Inc. An elaborate privacy governance framework would shield your organisation against such risks. c. Adopting a proactive approach to data protection Merely adhering to the mandated data protection laws and regulations is a simplistic approach to privacy. Where an efficient governance framework is in place, the organisation advances from simply reacting to the laws to actively embracing data privacy and using it to your advantage. A proactive approach to data protection tailors your compliance strategy to the realities of your business. In addition, it allows you to foresee potential data risks and employ relevant mitigation strategies. d. Improving operational efficiency Another benefit of good privacy governance is improved operational efficiency in all functions that process data in the business. A privacy team is perfectly placed to identify and minimise unnecessary costs that arise from inefficient data processing. They can do this by minimising the duplication of roles, eliminating duplicated data that drives up storage costs etc. In doing so, the team would not only save your business money, but also optimise work flow. Key Considerations for your Privacy governance structure 1. The privacy vision and mission A privacy vision statement is an aspirational statement that articulates what the organisation would like to achieve regarding data protection. Through the vision statement, the company’s leadership communicates core privacy values to other stakeholders in the organisation. A mission statement is a succinct statement describing why a data privacy framework exists and the overall goals of the framework. ,Moreover, it describes some of the core principles embodied in the framework. Both these statements embed a culture of privacy within the organisation that enables compliance. When stated in outward-facing communications like privacy policies, they demonstrate to the public a care for their personal information thus reaping the benefits of trust and loyalty. A perfect example of this is Apple’s privacy mission statement which reads as follows: “Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.” 2. Data governance When crafting your privacy governance framework, you should deeply consider your organisation’s data governance system. Data governance is a system which defines what type of data is handled in your business, how it is handled, by whom, how it flows throughout the organisation etc. Personal data is the central focus of privacy compliance therefore your privacy governance framework should demonstrate a keen understanding of the data processing operations of your business. Using data maps and similar data tracking tools you can document the footprint of data from when it is collected and recorded to when it is erased and disposed. As a result, you paint a holistic picture of your organisation’s interaction with personal data which guides your privacy governance program. 3. Positioning the privacy governance function In addition, consider how your privacy function will fit within your current internal and external reporting structures. Privacy governance needs to be strategically domiciled in the business to oversee crucial data processing operations. To illustrate, complex organisations with several department heads may need decentralise privacy compliance so as to incorporate all the departments that process personal data in the organisation. Conversely, a small or mid-sized enterprise might centralise the function by assigning it one person such as the CEO. In so doing, any policies, protocols or orders that are issued can be easily tracked and implemented throughout the enterprise. Moreover, organisations with stringent statutory requirements like government agencies and multinational corporations will need to align their privacy framework to their legal reporting obligations. Basically, establishing a privacy governance framework requires a broad understanding of the upstream and downstream interaction of stakeholders and the process of decision-making and issue resolution within your organisation. 4. Resourcing your privacy governance function a) Appointment of a Privacy Team Once you have conceptualised the privacy governance framework and defined its objectives, the next step is to appoint a team. Depending on the organisation’s needs, a single individual may manage the entire function or an all-inclusive team may take it up. The team may comprise of individuals skilled in data protection or of data privacy champions from different departments. The Data Protection Act recommends the appointment of a data protection officer(DPO) for organisations that regularly or systematically process personal data or for those that handle sensitive personal data. However, any organisation may appoint a DPO to facilitate the privacy compliance process. The DPO must have relevant academic or professional qualifications in matters relating..
A Privacy Assessment: What it is and Why you need it
Conducting a privacy assessment is crucial to your data protection compliance journey. A privacy assessment is an in-depth evaluation of the personal data an organisation holds and its current data handling practices. Through this process you can identify the key privacy risks facing your organisation and the compliance gaps you need to fill. Privacy assessments involve two critical steps: data mapping and gaps assessment. In this article, we consider the value of a privacy assessment to your privacy compliance program. We describe the best way to do this assessment in order to optimise your organisation’s compliance program. This article is part of our ongoing ‘Roadmap to Data Protection Compliance’ series which gives practical guidelines to businesses looking to comply with data protection laws. Previous articles in this series tackled initial training and sensitisation as a first step towards compliance and establishing a privacy governance framework as the second step. What is a privacy assessment? A privacy assessment is an analysis of how personal data is collected, used, shared, and maintained within an organisation. It is a risk management process that helps institutions identify the impact of their data processing operations on individuals’ privacy. Once data protection issues are identified, your organisation can develop remedial or mitigating actions to ensure compliance with data protection laws. Why conduct a privacy assessment? Privacy assessments give key privacy compliance stakeholders in your organisation a keen understanding of the personal data you collect and how it is processed. Privacy assessments can serve you in the following ways: – How to Carry out a Privacy Assessment There are two steps to carrying out a privacy assessment. The first is data mapping. A data map is a complete record or inventory of all the personal data processed in your organisation. This inventory provides an overview of how the data flows from its initial collection to the point it is erased. For a more in-depth look at how mapping supports privacy compliance click here. The second step is a gap analysis. This is a critical evaluation of all the data maps to identify data privacy gaps. In essence, you assess the extent of current compliance with data protection laws and regulations. You also identify the existing risks and data protection gaps in the processing of personal data in your organisation. Some best practices for privacy assessments include: Conclusion The privacy assessment process identifies all data protection gaps and privacy risk factors. We see how data has come into the organisation and how it moves, how it is used, how it is stored and secured and how it is finally erased. Your organisation can then implement the recommendations from the privacy assessment report, allowing you to develop an effective compliance program. Next week we continue with the ‘Roadmap to Data Protection Compliance‘ series by advising on the key policies required for data protection compliance.
4 Considerations for Privacy Governance
In our previous article, we shared our thoughts on the importance of baseline training and why it should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits of having a sound privacy governance framework are: a. Facilitating data protection compliance An efficient governance framework guarantees that your organisation meets all its legal obligations under the current data protection laws. Through this framework your organisation can outline its compliance obligations and map out a path to compliance. Furthermore, you can set out a privacy accountability framework to ingrain a culture of data protection within the organisation. b. Promoting brand reputation An efficient privacy program also enhances your organisation’s reputation. If you misuse customer data you run the risk of severe backlash from your clients which in turn dents your corporate image. A case example is the 2016 data breach and subsequent cover-up at Uber Technologies Inc. which saw its customer perception rating drop by 141.3%. A large part of this market share was lost to rival company Lyft Inc. An elaborate privacy governance framework would shield your organisation against such risks. c. Adopting a proactive approach to data protection Merely adhering to the mandated data protection laws and regulations is a simplistic approach to privacy. Where an efficient governance framework is in place, the organisation advances from simply reacting to the laws to actively embracing data privacy and using it to your advantage. A proactive approach to data protection tailors your compliance strategy to the realities of your business. In addition, it allows you to foresee potential data risks and employ relevant mitigation strategies. d. Improving operational efficiency Another benefit of good privacy governance is improved operational efficiency in all functions that process data in the business. A privacy team is perfectly placed to identify and minimise unnecessary costs that arise from inefficient data processing. They can do this by minimising the duplication of roles, eliminating duplicated data that drives up storage costs etc. In doing so, the team would not only save your business money, but also optimise work flow. Key Considerations for your Privacy governance structure 1. The privacy vision and mission A privacy vision statement is an aspirational statement that articulates what the organisation would like to achieve regarding data protection. Through the vision statement, the company’s leadership communicates core privacy values to other stakeholders in the organisation. A mission statement is a succinct statement describing why a data privacy framework exists and the overall goals of the framework. ,Moreover, it describes some of the core principles embodied in the framework. Both these statements embed a culture of privacy within the organisation that enables compliance. When stated in outward-facing communications like privacy policies, they demonstrate to the public a care for their personal information thus reaping the benefits of trust and loyalty. A perfect example of this is Apple’s privacy mission statement which reads as follows: “Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.” 2. Data governance When crafting your privacy governance framework, you should deeply consider your organisation’s data governance system. Data governance is a system which defines what type of data is handled in your business, how it is handled, by whom, how it flows throughout the organisation etc. Personal data is the central focus of privacy compliance therefore your privacy governance framework should demonstrate a keen understanding of the data processing operations of your business. Using data maps and similar data tracking tools you can document the footprint of data from when it is collected and recorded to when it is erased and disposed. As a result, you paint a holistic picture of your organisation’s interaction with personal data which guides your privacy governance program. 3. Positioning the privacy governance function In addition, consider how your privacy function will fit within your current internal and external reporting structures. Privacy governance needs to be strategically domiciled in the business to oversee crucial data processing operations. To illustrate, complex organisations with several department heads may need decentralise privacy compliance so as to incorporate all the departments that process personal data in the organisation. Conversely, a small or mid-sized enterprise might centralise the function by assigning it one person such as the CEO. In so doing, any policies, protocols or orders that are issued can be easily tracked and implemented throughout the enterprise. Moreover, organisations with stringent statutory requirements like government agencies and multinational corporations will need to align their privacy framework to their legal reporting obligations. Basically, establishing a privacy governance framework requires a broad understanding of the upstream and downstream interaction of stakeholders and the process of decision-making and issue resolution within your organisation. 4. Resourcing your privacy governance function a) Appointment of a Privacy Team Once you have conceptualised the privacy governance framework and defined its objectives, the next step is to appoint a team. Depending on the organisation’s needs, a single individual may manage the entire function or an all-inclusive team may take it up. The team may comprise of individuals skilled in data protection or of data privacy champions from different departments. The Data Protection Act recommends the appointment of a data protection officer(DPO) for organisations that regularly or systematically process personal data or for those that handle sensitive personal data. However, any organisation may appoint a DPO to facilitate the privacy compliance process. The DPO must have relevant academic or professional qualifications in matters relating..
The First Step Towards Data Protection Compliance
Following the enactment of the Data Protection Act (the ‘Act’), 2019 and its supporting regulations, many organisations are gearing toward compliance. Privacy compliance has several aspects to it including determination of privacy governance structures; data mapping; privacy gaps assessments; development and implementation of policy and procedural frameworks; data security; and training & awareness. When embarking on the project, it is tempting to overlook initial training and sensitisation, but if properly executed it can guarantee the success of your compliance program. Let us consider some of the reasons why a privacy leader or manager should give priority to training and awareness as they develop a privacy compliance program.
Scope of the Kenya Data Protection Act
In the course of doing business, it is common to interact with personal data relating to clients, suppliers, contractors and employees. You must handle this information in accordance with privacy laws and regulations to avoid litigation, regulatory fines and sanctions or disrepute to the business. With the enactment of the Data Protection Act (the ‘Act’) and supporting regulations, many businesses are now revisiting their relationship with personal data. In this article, we consider the scope of application of the Act and how and when the exemptions apply.
5 Ways the Data Protection Act Impacts Procurement
One of the key aspects of data protection compliance is procurement or third party vendor compliance. The Data Protection Act provides that where a data controller desires to use the services of a data processor, then he must first ascertain that the data processor has put in place sufficient safeguards for data protection.