The Kenyan data protection Act (DPA) came into force on 25th November 2019. It aims to protect the privacy and security of personal data of individuals and organizations in Kenya. The DPA is based on the principles and standards of the General Data Protection Regulation (GDPR), which is the European Union’s comprehensive data protection law.
The DPA applies to any person or entity that collects, processes, stores, transfers, or discloses personal data in Kenya, or outside Kenya if the data relates to a Kenyan citizen or resident. Personal data is any information that can identify or relate to a natural or legal person, such as name, address, phone number, email, ID number, bank account, health records, biometric data, etc.
The DPA establishes the Office of the Data Protection Commissioner (ODPC), which is the independent authority responsible for overseeing and enforcing the DPA. The ODPC has the power to issue guidelines, codes of practice, regulations, orders, notices, and administrative fines for non-compliance with the DPA.
The DPA also grants rights to data subjects (the individuals whose personal data is processed), such as the right to access, rectify, erase, restrict, object, and port their personal data. Data subjects also have the right to withdraw their consent at any time and to lodge a complaint with the ODPC or a court if they believe their rights have been violated.
As accountants, we deal with personal data of our clients, employees, suppliers, and other stakeholders on a daily basis. We need to be aware of our obligations and responsibilities under the DPA and ensure that we comply with its requirements. Here are some of the key steps we should take to achieve compliance:
- Conduct a data protection impact assessment (DPIA) to identify and assess the risks and impacts of our data processing activities on the rights and freedoms of data subjects. A DPIA should be done before starting any new or significant data processing project or activity.
- Register as a data controller or processor with the ODPC if we collect or process personal data on behalf of ourselves or others. Registration is done online through the ODPC website and requires providing information such as our name, address, contact details, purpose and nature of processing, categories and sources of personal data, recipients and transfers of personal data, security measures, etc.
- Appoint a data protection officer (DPO) if we process large amounts of sensitive personal data or monitor data subjects systematically or regularly. A DPO is a person who is responsible for ensuring compliance with the DPA and acting as a contact point for the ODPC and data subjects. A DPO should have adequate knowledge and expertise in data protection law and practice.
- Implement appropriate technical and organizational measures to protect personal data from unauthorized or unlawful access, use, disclosure, alteration, loss, or destruction. Such measures may include encryption, pseudonymization, access control, backup, firewall, antivirus, etc.
- Obtain valid consent from data subjects before collecting or processing their personal data, unless there is another lawful basis for doing so. Consent must be freely given, specific, informed, and unambiguous. It must be obtained through a clear and affirmative action by the data subject (e.g., ticking a box or clicking a button). Pre-ticked boxes or silence are not valid forms of consent.
- Provide clear and transparent information to data subjects about how we collect and process their personal data. This information should be provided in a concise, easy-to-understand, and accessible form (e.g., through a privacy notice or policy). The information should include our identity and contact details, the purpose and legal basis of processing, the categories and sources of personal data, the recipients and transfers of personal data, the retention period of personal data, the rights of data subjects, etc.
- Respect the rights of data subjects and respond to their requests within one month. Data subjects have the right to access their personal data that we hold; rectify any inaccurate or incomplete personal data; erase their personal data if it is no longer necessary or lawful; restrict the processing of their personal data in certain circumstances; object to the processing of their personal data for direct marketing or other legitimate interests; port their personal data to another service provider; withdraw their consent at any time; lodge a complaint with the ODPC or a court.
- Limit the collection and processing of personal data to what is necessary and relevant for our legitimate purposes. We should not collect or process more personal data than we need or use it for purposes that are incompatible with those for which we obtained it.
- Ensure that we have a lawful basis for transferring personal data outside Kenya. Such transfers are only allowed if we have obtained consent from the data subject; if it is necessary for the performance of a contract with or in the interest of the data subject; if it is necessary for the establishment, exercise, or defense of a legal claim; if it is necessary for a public interest purpose; or if the ODPC has authorized the transfer. In addition, we should ensure that the recipient country or organization provides an adequate level of data protection or that we have implemented appropriate safeguards (e.g., contractual clauses, binding corporate rules, etc.).
- Report any personal data breach to the ODPC and the affected data subjects as soon as possible. A personal data breach is any incident that compromises the confidentiality, integrity, or availability of personal data. We should notify the ODPC within 72 hours of becoming aware of the breach and provide information such as the nature and extent of the breach, the likely consequences and risks, the measures taken or proposed to address the breach, etc. We should also inform the data subjects without undue delay if the breach poses a high risk to their rights and freedoms.
The DPA is a significant and positive development for data protection in Kenya. It aims to enhance the privacy and security of personal data and to foster trust and confidence among data subjects and data controllers and processors. As accountants, we have a duty to comply with the DPA and to demonstrate our accountability and professionalism in handling personal data. By doing so, we can not only avoid the legal and reputational risks of non-compliance, but also gain a competitive advantage and create value for our clients and stakeholders.