Data Protection Takes Centre Stage In Annual Cybersecurity Report

It is said to be a matter of when, not a case of if. When will a cybersecurity threat manifest? If that confounds you, here are more...


Data Protection Takes Centre Stage In Annual Cybersecurity Report

It is said to be a matter of when, not a case of if.

When will a cybersecurity threat manifest?

If that confounds you, here are more facts. 45 per cent of IT and security professionals are aware of the existence of the Data Protection Act but have not read it extensively.

30 per cent know just a little bit.


According to the correspondents of the survey, being familiar with the Data Protection Act (2019) means “to be aware of its existence.”

Marry a case of when, data protection and privacy laws and you get very antsy security analysts. Add cybercrime and you have a trifecta.

Cybercrime is ever-evolving. It commonly comes in the form of ransomware, malware, phishing, social engineering, Distributed Denial of Service (DDoS) and Denial of Serice (DoS).

But now with the rapid adoption of Cloud computing technology, newer threats – says the 2019/2020 Serianu Africa Cybersecurity Report, Kenya, Local Perspective on Data Protection and Privacy Laws: Insights from African SMEs – such as Cloud Vulnerability, Machine Learning poisoning, Artificial Intelligence (AI) enhanced threats to Smart Contract hacking etc., are on the rise. Crime has long outpaced security.


To win this war – or rather, perhaps, to manage the casualties of war, organisations need to stay a step ahead of cybercrimes. This, the report says, is doable with a “structured security strategy that is championed from the top management and cascaded down to every level.” The problem is, you are only as successful as your weakest link. And we all know who that is – yes, the end-user.

Launched today, the Africa Cybersecurity Report, Kenya dedicates two entire chapters to data protection law. It reveals that the dominant theme of 2019 was data protection and privacy with ransomware attacks growing by 118 per cent globally, increase ATM attacks, coordinated attacks in East Africa and data protection. While 2020 was about business continuity thanks to COVID-19. 2020 was also marked by unsecured remote connections and gradually, the embrace of remote working.

Our Data Protection Act (2019) is highly praised for being compliant with the European Union’s General Data Protection Regulations (GDPR). In it are bold threads weaving in the right to privacy, which is essential when you look at some of the statistics in the report.

Currently, over “70 per cent of respondents process PII (personally identifiable information) within their organisation” while “over 60 per cent process PII through third party systems both within and outside of the country.”


76 per cent of respondents do not have cyber insurance which means they take a big financial hit. For the 76, Britam, AIG, Minet and Dawit Insurance Agency Limited are listed as companies offering cyber insurance in Africa because companies underestimate the likelihood of cyberattacks.

Businesses now have to comply with data protection laws, which, with the solidity of GDPR means data protection laws are edging towards being universal law. UNCTAD (United Nations Conference on Trade and Development) says 27 African countries have enacted Data Protection And Privacy Legislation with nine others in the process. This places Africa ahead of the Americas. The European region leads with 96 per cent compliance.

So long as you are in the kind of business that handles data, or are in direct contact with another’s data, the law applies to you. Which is why data needs consent from its owner as to how it gets handled.

That means disclosing the purpose of said information and how it shall be used right down to how long this information can be stored. And if you collect data for let’s say toothpaste, you can’t turn around and decide to use it for chicken feed. Should your data be compromised, then you, as well as the data commission, need to be informed ASAP. You also have a right to destroy, collect or delete your information.

What qualifies as PII? This does.

It is why IT security teams are expected to fiercely protect your data, and this works best if they are cohesive, dedicated and centralised. Why is data so critical?

Data, so The Economist declared in 2017, is the new oil.

Data also seemingly lends itself to cliches in this article…

Data is described as the fuel of the digital economy. Herein comes academia, a sector which needs to collaborate with the industry so that learning institutions can bestow upon students the required skills when it comes to data protection and privacy.

Small wonder Data Scientist was listed as ‘the sexiest job of the 21st century.’ Data protection and privacy are so critical, the report states that organisations are on the hunt for data protection officers (DPO). Adding that organisations need a “cross-functional data privacy leadership team with C-Suite board representation.” It also concedes that this is a new field. That in spite of its newness, it cannot be treated lightly.


Do you have a story that you think would interest our readers? write to us