How Business Entities can Stay Compliant with Data Protection Obligations

Legal Framework for Data Protection

Article 31 of the Constitution of Kenya, 2010 entitles all individuals to the right to privacy. The right to privacy entitles all individuals to the right not to have information relating to their family or private affairs unnecessarily required. The right also protects the privacy of their communications against infringement.

The Data Protection Act, Cap 411C of the Laws of Kenya was enacted in 2019 to give effect to the provisions of Article 31 (c) and (d) of the Constitution of Kenya. The Act also establishes the Office of the Data Protection Commissioner (ODPC), regulates the processing of personal information, establishes the rights of data subjects and outlines the obligations of data controllers and processors.

Section 2 of the Act defines personal data as any information relating to an identifiable natural person. Therefore, in the legal context, the rights under the Act do not extend to information relating to corporate entities or other bodies registered under any law.

The Crucial Considerations for Compliance

It is prudent that business entities comply with the provisions of the Data Protection Act right from the collection, processing, retention, transfer and deletion of data relating to either the customers or members of the staff. It is only possible to comply with the legal obligations envisaged under the Act on appreciating the fundamental elements laid out under the Act. Some of the crucial checkpoints to consider include:

1. The Mandatory requirement for Registration of Data Controllers and Data Processors

Section 2 of the Act defines a Data Controller as a natural person or legal entity that determines the purpose and means of processing personal data. On the other hand, a Data Processor is a natural person or legal entity that processes personal data on behalf of the Data Controller.

Section 18 of the Act provides a mandatory requirement for all business entities to register as Data Controllers and Data Processors with the ODPC prior to engaging in the collection or processing of personal data. An application for registration must be in the form and manner set out under the Data Protection (Registration of Data Controllers and Data Processors) Regulations.

2. Compliance with the Principles of Data Protection

Section 25 of the Act outlines the various principles of data protection that business entities must comply with while collecting and/or processing personal data. Some of the key principles are outlined as follows:

• Personal data must be processed in a manner that upholds the subjects’ right to privacy as highlighted under part (B);
• Personal data must be processed in a lawful, fair and transparent manner;
• Personal data must be collected upon providing a clear explanation of purpose of collection and the manner of processing must adhere to the explained purpose;
• Personal data collected should be adequate, relevant and limited to the information relevant for the purpose for its processing;
• A valid explanation should be provided where information relating a person’s family or private affairs is required;
• The personal data collected must be kept up to date and in an accurate form while reasonable efforts should be taken to delete or rectify any inaccurate without delay;
• The data collected should only be kept for a specific period of time relevant for the objective for which it was collected; and
• The personal data may only be transferred out of Kenya upon obtaining the subjects’ consent and providing sufficient protection safeguards.

3. Safeguarding the Rights of the Data Subjects

A business entity should hold into regard the rights of data subjects in the collection and processing of subjects’ personal data. These rights are found under section 26 of the Data Protection Act. They include:

• Right to be informed about how the business entity intends to utilize their personal data;
• Right to access their personal data within the custody of the business entity;
• Right to raise an objection to the processing of all or any part of their data within the business entity’s custody;
• Right to require the business entity to delete any false or misleading data about the subject; and
• Right to require a business entity to rectify or erase any false or misleading data about the subject.

4. Implementing appropriate Technical and Organizational Security Measures for Safety of Personal Data

Section 41 of the Data Protection Act requires business entities to adopt appropriate technical and organizational measures to protect personal data from unauthorised access, leaks or loss. It is therefore crucial that business entities adopt effective security measures. This may include:

• Encrypting their databases to ensure that personal data is only converted to a readable version by using specific decryption keys;
• Advising their staff and customers to use strong passwords and using two-stage authentication feature for account security;
• Developing an elaborate privacy policy that outlines all the aspects set out under Regulation 23 of the Data Protection (General) Regulations;
• Conducting a data protection impact assessment to identify risks associated to operations that have a high risk to the subjects’ privacy; and
• Creating appropriate technical measures for notifying the data subject of data protection breach and mitigation of risks associated to the breach.

5. Compliance with the Legal Obligations for Utilizing Personal Data for Commercial Purposes

Section 37 of the Data Protection Act requires business entities to obtain their customers’ express consent in case they intend to utilize the customers’ personal data for commercial purposes. The business entities must have a legal permission to utilize the data for commercial purpose and inform the customers of the intention to use their personal information for commercial purposes. Prior to using the data for commercial purposes, the business entity must anonymise the data to ensure that customers are no longer identifiable based on the data.

Part III of the Data Protection (General) Regulations also requires business entities involved in direct marketing to provide simplified opt out mechanisms for the customers to request not to receive direct marketing messages. Non-compliance with the requirements while utilizing personal data for commercial purposes is punishable as criminal offence upon conviction.

6.Compliance with the requirements for Cross-Border Transfer of Personal Data

Section 48 of the Data Protection Act provides for specific conditions that business entities must comply with prior to transferring personal data outside Kenya. It is therefore important for a business entity to ensure that:

• The customers or data subjects have provided express consent to the intended cross-border personal data transfer;
• It has provided sufficient evidence to the ODPC on the safeguard mechanisms for protecting the security of the personal data; and
• The transfer is legitimate and falls within the circumstances contemplated by section 48 (c) of the Act.