Since the Data Privacy Act, 2019 (DPA) was passed, data privacy has become a crucial concern for Kenyan enterprises. Compliance is now a business need due to the increased enforcement of data privacy and security regulations brought about by the creation of the Office of the Data Protection Commissioner (ODPC). This blog explores essential data protection compliance best practices, significant cases ruled by the ODPC, and how Reel Informatics can help businesses establish robust data security and governance procedures.

Feedback from Privacy Cases Determined by the ODPC.

The Office of the Data Protection Commissioner (ODPC) in Kenya has addressed several significant cases that underscore the importance of robust data protection practices. Below is an overview of these cases:

  1. Huduma Namba Compliance Order

Background: The Kenyan government initiated the National Integrated Identity Management System (NIIMS), commonly known as Huduma Namba, to centralize citizens’ personal and biometric data. However, concerns arose regarding the adequacy of Data Protection Impact Assessments (DPIAs) before its rollout.

ODPC Action: The ODPC mandated that a comprehensive DPIA be conducted before the continued processing of data and the issuance of Huduma cards. This decision emphasized the necessity of assessing privacy risks in large-scale data collection initiatives.

Implications: Organizations must perform thorough DPIAs to identify and mitigate privacy risks before implementing extensive data processing activities.

  • Safaricom Data Breach Incident

Background: Safaricom PLC, a leading telecommunications company, was accused of improperly disclosing customer data. The ODPC filed a complaint accusing Safaricom of violating the Data Protection Act (DPA) in its data collection, processing, and use, particularly through AI-powered systems.

ODPC Action: The ODPC investigated the alleged data breach to determine Safaricom’s compliance with the DPA.

Implications: This case underscores the need for organizations to implement stringent data protection measures and ensure transparency in data processing activities.

  • Unsolicited Marketing by Betting Firms

Background: Several betting companies were found to have sent unsolicited marketing messages to individuals without obtaining explicit consent, violating data processing regulations.

ODPC Action: The ODPC investigated these practices, highlighting the importance of obtaining clear and informed consent before processing personal data for marketing purposes.

Implications: Organizations must prioritize obtaining explicit consent from individuals before using their data for marketing, ensuring compliance with data protection laws.

  • WPP Scangroup Data Breach

Background: Bharat Thakrar, the former CEO of WPP Scangroup, alleged that his personal data was accessed without his consent during an internal investigation, leading to significant personal and professional harm.

ODPC Action: The ODPC found WPP Scangroup violating the Data Protection Act for mishandling Thakrar’s personal information and ordered the company to pay 1.95 million Kenyan shillings in damages.

Implications: This case highlights the necessity for organizations to obtain explicit consent before accessing employees’ data and to ensure compliance with data protection laws during internal investigations.

  • Fines Imposed on Three Organizations for Data Privacy Infringements

Background: In September 2023, the ODPC fined three businesses 9 million Kenyan shillings for data privacy violations, including processing personal data without a legal basis.

ODPC Action: The ODPC imposed sanctions on the organizations to emphasize that data protection is a mandatory obligation, not an option.

Implications: This action serves as a stern reminder to all entities processing personal data under Kenyan law to ensure they have a lawful basis for data processing activities.

How can Organizations Enhance their Data Privacy Regimes?

To safeguard sensitive information and achieve compliance with the DPA, businesses must adopt industry best practices:

  1. Develop a Comprehensive Data Protection Policy: Establish a framework for the responsible management of personal data. Policies should address data collection, storage, processing, and sharing practices.
  2. Conduct Data Protection Impact Assessments (DPIAs): Use DPIAs to identify and mitigate risks associated with data processing operations, especially when implementing new technologies or handling sensitive data.
  3. Strengthen Technical Controls: To protect against breaches and cyber threats, employ robust access controls, encryption, and firewalls and conduct regular vulnerability assessments.
  4. Provide Transparent Privacy Notices: Ensure clear and concise privacy statements that explain the use and storage of personal data. Obtain and document valid consent from data subjects.
  5. Appoint a Data Protection Officer (DPO): Engage a qualified DPO to oversee compliance efforts and guide the organization in adhering to data protection regulations.
  6. Implement Regular Staff Training: Educate employees on data privacy principles to minimize the risk of accidental breaches and foster a culture of compliance.
  7. Perform Regular Audits: Conduct internal and external audits to stay aligned with evolving regulatory requirements and verify the effectiveness of data protection measures.

How Reel Informatics Can Help

At Reel Informatics, we specialize in governance, risk management, and compliance (GRC) to support businesses navigating the complex data security landscape. Our tailored services include:

  • Data Protection Compliance Audits: Identify areas of non-compliance and implement effective solutions.
  • Policy Development and Implementation: Create and deploy data protection policies aligned with industry standards and business objectives.
  • Outsourced DPO Services: Access expert guidance to fulfill your legal obligations under the DPA.
  • Customized Training Programs: Educate employees on compliance requirements and build a culture of data security.

“Join us to secure data, establish credibility, and comply with regulations for a safer future.”

Contact us right now for more details about our data security offerings!