By John Walubengo
It has been three years since the Kenyan Data Protection Act was enacted in November 2019 and two years since the first Data Commissioner was appointed and sworn into the Office of the Data Protection Commission.
A lot has taken place over this period, and more is likely to happen in the data privacy space in the immediate and long term. What have organisations been doing right, what have they been doing wrong, and how can they improve?
We look at the good, the bad, and the ugly side of data protection practices in Kenya.
Firstly, we take a look at the good stuff.
A good number of organisations have taken note of the regulatory requirements to register as Data Controllers, Data Processors or both, depending on their data processing operations.
A Data Controller is the entity that determines the purpose and nature of what personal data to collect from ‘Wanjiku’. At the same time, a Data Processor is the entity subcontracted to process data on behalf of the Data Controller.
Another good point that is happening is that many professionals with either an IT or Computer Science, or Legal background have taken time to enrol, study, and sit for data privacy-related exams such as the ISACA Certified Data Privacy Solutions Engineer, CDPSE or the International Association of Privacy Professional, Certified Information Privacy Professional, CIPP.
These internationally recognised privacy qualifications will provide much-needed data privacy expertise within the country and allow Kenyan professionals to contribute more effectively to global data protection conversations.
Already, local training institutions like Strathmore University and the Kenya School of Government have taken the lead in offering customised data protection training. This should challenge other training institutions to promote locally tailored data protection programs.
Now we take a look at the bad stuff.
What is emerging in the privacy space is that many organisations have taken their successful registration as Data Controllers or Data Processors as the end rather than the beginning of their data privacy journeys.
This is a fatal mistake on the same scale as a teenager acquiring his national identification upon reaching the age of eighteen and then assuming that he is now a fully qualified adult capable of not only voting but also drinking large amounts of alcohol, getting married, paying rent, taxes, and all other adult stuff.
Such teenagers often quickly discover that holding an ID card does not automatically translate to being a responsible adult. Organisations must quickly realise that having a data controller or data processor registration certificate does not automatically mean your entity complies with the many provisions of the Data Protection Act.
If anything, a registration certificate puts you under the radar of the Data Commissioner, and now you must up your privacy game.
Typical steps that organisations must take include but are not limited to commissioning privacy training for the whole organisation, carrying out data mapping, data privacy impact assessments, privacy audits, and reviewing or generating privacy documentation such as the Privacy Policies and Data Protection Agreements, amongst others.
The ugly part I notice is that many in the public sector do not take up the data privacy challenges with the same zeal and urgency seen in the private sector. There seems to be a general misunderstanding that the privacy law and its associated concerns were meant for the private sector – particularly “big tech companies” like Facebook, Google, and Amazon or their local equivalents in the telco and financial sectors.
Yet the public sector traditionally has had the largest data controllers and, potentially, by extension, the most notorious violators of privacy rights – by commission or omission. State departments, agencies, county governments, and parastatals should lead by example and implement data privacy programs within their organisations.