By John Walibengo.
That sent the strongest signal yet, that the Kenyan Data Commissioner, the privacy regulator, had not only landed, but was actively scanning, mapping, and staking out the privacy territory.
We all know or have heard of the mental anguish some mobile lenders take their defaulting clients through — including calling all their neighbours, relatives, workmates, or pastors to recover their two or three-thousand shilling loans.
It is high time that some regulatory intervention came in to listen in on both sides of the story to see how best mobile money lenders can still carry on with their useful credit business without violating the privacy of their clients.
But what if you don’t belong to that category of Kenyans who enjoy quick and easy mobile loans-why should you care about personal data privacy?
This is a pertinent question, particularly in an era of social media where the ‘Facebook/TikTok/Instagram’ generation is willing to give out copious amounts of personal data without regard to any current or future implications.
In other words, what would be the use of a privacy regulator in an environment where ‘Wanjiku’ cares little about privacy? In answering this question, we quote Edward Snowden, the ex-CIA who blew the cover on some of the US government’s covert and extensive surveillance activities. He said:
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different from saying you do not care about free speech because you have nothing to say.”
Privacy is a human right guaranteed under Article 31 of the Kenyan Constitution 2010. So the Office of the Data Protection Commissioner is obliged to protect your data, even when you don’t know what personal data is or understand the privacy risks and harm that go along with it.
Obligations of Enterprises
And that’s why the focus will land on the enterprises that collect, process and share our personal data. These go beyond mobile money lenders and include telcos, hospitals, banks, Saccos, and educational institutions in both the public and private sectors.
Even if ‘Wanjiku’ does not care about her privacy, enterprises are obliged by law to care. Enterprises collecting personal data must do so in line with the data protection principles that include:
- Lawfulness, fairness and Transparency;
- Purpose Limitation;
- Data Minimisation;
- Data Accuracy
- Storage limitation;
- Integrity and Confidentiality (security)
These new requirements have severe implications for how organisations should henceforth treat the collection, processing, storage and sharing of personal data in their various business lines.
Indeed, the regulations require that organisations register with the ODPC as part of their preliminary journey towards data protection compliance.
Is your organisation ready?
Watch our interview with the ODPC on why we should prioritise privacy.