The Kenya Data Protection Act provides for the appointment of data protection officers by private companies and businesses that process sensitive information about its customers and employees. This is particularly important to ease the compliance burden for businesses by having compliance spearheaded by the DPO.
A DPO may be an internal member of staff or an external consultant/ business practice. An entire business/company Group may have one DPO as long as that DPO is accessible to all the entities within business Group. The DPO shall be the contact person for all matters data protection particularly for requests from regulators including the ODPC.
Data Protection Impact Assessment
The Data Protection Act requires businesses to conduct a data protection impact assessment (DPIA) where a processing operation is likely to result in high risk to the rights and freedoms of a data subject. This may be by virtue of the nature, scope, context and purposes of the processing. An example is a product that will involve huge amounts of data being analysed. The DPIA will have to be carried out and the report be submitted to the Office of the Data Protection Commissioner (ODPC) 60 days prior to the processing of data. This requirement may affect product launches in the financial, telecom and marketing sectors.
A DPIA shall include:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the business;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; the measures envisaged to address the risks and safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.
Now that Kenya has a substantive data protection law, each business needs to do some introspection and re-examine its current internal business processes as well as the compliance status of its partners and suppliers- particularly those connected to the business information infrastructure. The best place to begin is with a data protection compliance audit. The results of the audit would then inform next steps and priority action areas.