In 2024, the Office of the Data Protection Commissioner (ODPC) published two sets of draft regulations, and a guidance note aimed at enhancing data protection compliance: The Data Protection (Conduct of Compliance Audit) Regulations, 2024 The Data Sharing Code (Guidance Note) In this update, we focus on the Data Protection (Conduct of Compliance Audit) Regulations. Our next update will cover the Data Sharing Code. Overview: Data Protection (Conduct of Compliance Audit) Regulations, 20241. Object and Purpose of Regulations: The proposed Regulations aim to: establish a structured framework for conducting data protection audits promote audit quality and consistency establish accreditation criteria for data protection auditors 2. Types of Audits: The Regulations make provision for two types of audits: periodic audits and special audits. 3. Initiation of Audits: The ODPC may conduct a data protection audit on its own, outsource the conduct of the audit or affirm a data protection audit report submitted to it by an accredited auditor. In addition, a data controller or processor may initiate audits on their own volition. a) Audits Initiated by the Data Commissioner: The Data Commissioner may initiate a compliance audit in the following circumstances: upon receiving a complaint regarding an entity’s data protection practice as part of broader regulatory investigation based on a risk assessment; or in response to a perceived or real privacy risk or data breach notification Prior to initiating an audit, the Data Commissioner shall provide a 30-day notice to the data controller or data processor. b) Audits Initiated by data controllers or data processors: A data controller or processor may, on their own volition, initiate a data protection audit to: – proactively assess their data protection compliance posture; or as part of a corrective measure following a data breach or other data protection concerns. A data controller or processor initiating a voluntary audit may engage an auditor accredited under the Act to conduct the audit. 4. Accreditation of Data Protection Auditors: The Regulations establish a requirement for accreditation of independent data protection auditors. To be accredited, auditors must submit the following details to the ODPC: – Firm/establishment details Proof of academic and professional qualifications in data protection. Relevant experience in data protection audits. Evidence of adequate professional indemnity cover. Accreditation will attract a fee of Kes. 150,000/-. The accreditation is valid for a certain period of time although this period has not been defined in the Regulations. Upon expiry, the accreditation is renewable at a fee of Kes. 100,000/- The ODPC will maintain a public register of accredited auditors and may reject or revoke an application for accreditation. 5. The Audit Process: The Data Commissioner or the accredited data protection auditor shall, in conducting the audit, follow a structured process which shall include: – developing a detailed audit plan outlining the methodology, scope and timeline for the audit. conducting relevant interviews with data controllers or processors reviewing relevant documentation and records related to data processing activities including: data protection policies and procedures records of data processing activities data security measures and records of data subject requests and responses. 6. The auditors may also perform necessary tests or assessments to evaluate compliance with the requirements of the Act. 7. Data Controller Responsibilities in the Audit Process: Data controllers or data processors must provide the auditor with reasonable access to all relevant information and documentation necessary for conducting the audit, designate a contact person and fully cooperate with the auditor to address any non-compliance issues. 8. The Auditor’s Responsibilities: Accredited auditors must: – conduct the audit in accordance with professional standards and best practices. plan the scope of the audit effectively based on specific needs employ appropriate audit methodologies to assess compliance with data protection requirements maintain confidentiality and security of all information received during the audit process. Avoid conflict of interests. 9. Reporting Audit Findings: Accredited auditors must: –Auditors must prepare a written audit report detailing the scope and methodology of the audit and the findings and recommendations for corrective action. The data controller shall be furnished with the report and be given a reasonable time frame to respond to the findings and recommendations. 10. Enforcement Actions: Following an audit, the Data Commissioner may: – issue recommendations for improvement to the data controllers or processors, issue enforcement or penalty notices requiring the data controller to take specific corrective action initiate further investigation for non-compliance 11. Cooperation and Confidentiality: The Data Commissioner, the auditor, and the data controller or data processor shall all cooperate in a professional and timely manner throughout the audit process. All information obtained in the audit shall be treated as confidential except where disclosed with the authorisation of the data controller or processor or required to be disclosed by law. In addition, auditors must implement appropriate safeguards to protect the confidentiality of personal data accessed during the audit process 12. Reporting by the ODPC: The ODPC shall prepare and publish an annual report on the implementation of the Regulations, including the number of audits conducted and the audit findings and actions taken. The report shall be made available to the public to promote transparency and accountability. Next Steps: The draft regulations are currently undergoing public participation before being tabled in Parliament for adoption. We will keep you informed of further developments. In the meantime, we recommend that you continue enhancing your privacy compliance program to minimise regulatory risks. New Book Alert! As data protection compliance continues to evolve, we are excited to announce the upcoming release of our book, “Data Protection in Kenya: Case Law”. This book provides: A detailed analysis of key data protection cases in Kenya. Insights into regulatory enforcement trends. Lessons for businesses, legal professionals, and compliance officers. This resource will be an essential guide for anyone looking to navigate Kenya’s data protection landscape effectively. Order your copy here
