D4D Hub: Advancing Data Privacy in Kenya.
Kenya: Putting Data Privacy at the Heart of the Debate.
Listen to our podcast series that aims to help SMEs in Kenya comply with data protection regulations. The Data Protectors Podcast brings together Kenyan and European experts to explore different aspects of data protection compliance, share lessons learned, and identify opportunities created with the enactment of the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR).
These podcasts are produced by KICTANET and GIZ/DTC Kenya, in collaboration with Nairobi Legal Hackers, as part of the AU-EU D4D Hub project.
Episode 1: Data Protection Principles
The first episode of the Data Protectors Podcast touches on data protection principles and how small businesses and organisations can integrate them into their operations.
Whereas SMEs, start-ups and small civil society organisations are slightly different in their business models, they all face similar challenges regarding data protection compliance. More often than not, these organisations are resource-starved, meaning that they lack the capacity to, among other things, invest in compliance or the capacity to hire skilled data protection officers to guide them through compliance.
Our speakers, Liesa Borghaert and Mercy Mutindi delve into the seven data protection principles:
- lawfulness, fairness, and transparency;
- purpose limitation;
- storage limitation;
- data minimalisation;
- integrity and confidentiality; and
Most importantly, they provide practical advice on how to incorporate these principles into organisations’ day-to-day operations.
- Megan Kathure, Tech policy analyst
- Mercy Mutindi, General Counsel & Director Compliance at Wasoko
- Liesa Boghaert, Attorney-at-law at Timelex and GDPR expert
Episode 2: Registration as a data controller or processor
The second episode of the Data Protectors Podcast touches on registration as a data controller or processor. It explains who is required to register, why it is important, and how exactly one can register with the Office of the Data Protection Commissioner.
The Data Protection Act 2019 introduced an obligation for certain entities that process personal data in Kenya to register with the Data Protection Commissioner (ODPC). Specifically, all data controllers and processors that have an annual turnover or annual revenue above Kenya Shillings five million (KES 5,000,000/=) and/or more than ten (10) employees must register with the ODPC. However, even smaller organizations with a turnover below 5 million shillings and less than 10 employees must register if they operate in certain sectors.
In the second episode of the Data Protectors Podcast, Rosemary Koech and Elaine Wangari explore who is required to register, why it is important to register and how exactly one can register with the Office of the Data Protection Commissioner.
- Priya Shah, Director of Risk and Privacy Compliance at Carepay Ltd
- Elaine Wangari, Data Protection Specialist at HTB Group London
- Rosemary Koech, Co-organizer of Nairobi Legal Hackers and DPO at KCB Group
Episode 3: The Cost of Compliance
Episodes 1 and 2 of the Data Protectors Podcast presented the data protection principles and the first component of compliance: registration. Episode 3 builds on these themes to further explore the costs of complying with the Data Protection Act.
In this episode, moderated by Susan Wajiku, lawyers Catherine Kariuki and Cynthia Chepkemoi detail what documentation small and medium-sized enterprises need to be compliant.
They also explain how to get the relevant documents in a cost-effective manner. Finally, they provide useful guidance on how to get Data Protection Officers without breaking the bank.
- Susan Wanjiku, Digital Ecosystem Advisor at GIZ-DTC Kenya
- Catherine Kariuki-Mulika, TMT Partner at TripleOKLaw Advocates
- Cynthia Chepkemoi, Data Protection Counsel
Episode 4: Cross-border Data Transfers
According to the Data Protection Act of 2019, a data controller or data processor may transfer personal data to another country only where proof has been given to the Data Commissioner that the data will be transferred securely to a place with equal or stronger data protection laws compared to Kenya. However, there are also certain situations where data can be transferred without notifying the Data Commissioner, such as when the transfer is for legitimate interest, public interest or has the consent of the data subject.
In this episode, Mr John Walubengo and Simon Verschaeve explore what a cross-border data transfer is, the legal requirements when it comes to cross-border data transfers, and some lessons learned from Europe’s experience.
- Lemmy Kamau, Advocate of the High Court of Kenya and Data Protection and Privacy Specialist
- John Walubengo, Lecturer and Data Protection expert
- Simon Verschaeve, Data Protection Lawyer at DLA Piper
Episode 5: Engaging With Data Protection Authorities
This episode stars Tamar Kaldani, who is the former Data Commissioner of Georgia. and Rose Mosero, who is the Kenyan Deputy Data Commissioner, in a sizzling conversation moderated by Catherine Muya.
Our speakers demystify the role of the ODPC in Kenya and separate myths from the truth as Rose Mosero clarifies how SMEs can effectively engage the ODPC, report any complaints they might have, and get their issues addressed and resolved speedily by the ODPC. Tamar Kaldani shares some lessons for both regulators and SMEs on how to build a good relationship with each other and maximize the benefits.
- Catherine Muya, Program Officer, Digital Policy at ARTICLE 19 Eastern Africa
- Tamar Kaldani, Former Data Commissioner of Georgia
- Rose Mosero, Deputy Data Commissioner of Kenya
Episode 6: The Future of Data Protection
In episode 6, we take a crystal ball and try to predict the future of data protection and data security in Kenya and the globe as a whole.
Tarun Samtani and Francis Monyango dissect what the future of data protection will look like. They argue, along with other experts, that one of the biggest shifts likely to occur in the future is a motion towards a world where individuals have greater ownership over their rights.
Episode 7: The Role Of Academia
This episode guides listeners on easy-to-read publications and courses that they can access to build their capacity on data protection issues.
For the past six episodes, the Data Protectors Podcast has looked at current issues such as the data protection principles, the cost of compliance, cross-border data transfers and how to engage with data protection authorities. Episode 6 presented an interesting discussion on what experts foresee the future of data protection will look like. Today’s conversation focuses on the role that academic institutions and scholars can play in advancing data protection.
In the scintillating discussion moderated by Sumaiyah Omar, the speakers, Dr Patricia Boshe and Grace Mutung’u guide listeners on easy-to-read publications and courses that they can access to build their capacity on data protection issues. The episode also gives a sneak peek into the interesting work that both researchers are doing in the academic space to advance data protection.
Sumaiyah Omar, Advocate of the High Court of Kenya, Data Protection Officer
Grace Mutung’u, Digital Policy Researcher
Dr Patricia Boshe, Lecturer and a Senior Researcher, University of Passau (Germany)
Episode 8: The Role of Civil Society Organisations
This episode focuses on the role that civil society plays in championing the right to privacy and data protection. Featuring a spirited discussion involving Elliot Bendinelli from Privacy International and Meshack Masibo from KICTANet, moderated by Mercy Kingori from the Future of Privacy Forum, the episode narrows down on the challenges CSOs face in executing their work in data privacy and the importance of collaboration and alliances among civil society actors the world over.
Elliot shares, from a European perspective, how Privacy International alongside other civil society organizations in Europe boost compliance with Data Protection Laws in their society. Meshack shares how Kenyan CSOs have leveraged partnerships and collaboration to advance their cause and champion the right to privacy in Kenya.
1. Elliot Bendinelli – Program Director, Privacy International.
2. Meshack Masibo – Project Manager, Data Protector’s Podcast at KICTANet
Mercy Kingóri – Policy Analyst Africa, Future of Privacy Forum