Kenya will soon have a law that guides and regulates how people’s private data and information will be retrieved, managed, utilized and secured. However, few companies have the necessary cybersecurity infrastructure, corporate culture or data policies that will enable them keep this law without encountering major hurdles.
Once passed, the Data Protection Bill 2018 will provide a uniform piece of regulation whose requirements will be standardised across the entire Kenyan economy, ensuring personal data is subjected to the highest levels of security, privacy and protection, but without hindering innovation and economic growth.
In line with rising personal privacy concerns, the bill proposes that “an agency shall not transfer personal data of a subject outside the territory of the Republic of Kenya unless the subject consents the transfer and it will be beneficial to the subject.”
But even as the bill is yet to be passed into law, developments in the last five years show that we have a potential crisis in our hands if companies do not start preparing to incorporate these regulations in their data management systems and policies. The rise of local technology based services heavily reliant on private personal data clearly reveals this gap.
For instance, many of the local mobile lending apps usually ask users to grant access to a lot of private information in order to qualify for a loan. This includes access to phone call records, phonebook, SMS and other geolocation information. A similar case could be made for some of the taxi-hailing apps now popular with Kenyans.
While some of these technology companies have gone to great lengths to ensure users give informed consent regarding their personal data in the companies’ possession, the channels of communication for this consent are rather obscure. This will radically change once the data protection laws are enacted, and both users and organizations should be ready for the shift.
Many of the new mobile lending companies ask people for permission to access sensitive data, but don’t make any effort to explain to Kenyans how the accessed data will be used, and for how long it will be retained. This will have to change.
The proposed data protection law clearly states that agencies have a duty to not only notify people of the fact that personal data is being collected; but also state the ‘purpose for which the personal data is being collected’.
And if an organisation shares out their employees or clients’ personal data without properly and clearly informed consent, heads of institutions, government or private agencies will be jailed for five years or fined Kshs 500,000 or both.
Furthermore, “a data controller or data processor shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed.” These provisions are very similar to, and one may argue that they borrow heavily from, the recently enacted European Union data protection law, the General Data Protection Regulation (GDPR).
Even Mozilla, the not-for-profit behind the Firefox browser, made a forceful input to the Kenyan Data Protection Bill at the comment stages stating; “We believe that a strong data protection law must protect the rights of individuals with meaningful consent at its core. It must have strong obligations placed on data controllers and processors reflecting the significant responsibilities associated with collecting, storing, using, analyzing, and processing user data; and provide for effective enforcement by an empowered, independent, and well-resourced Data Protection Authority.”
By ensuring compliance from a data storage and processing standpoint, companies can avoid the risk of legal action from the individuals whose data is being handled. This is all the more important when it is remembered that under the new Regulation companies found to be breaking the law could be fined up to 5% of their revenue.
However, most important is that governments and private organisations respect and protect the privacy of the people whose data is essential to the success of their business. Cybersecurity goes beyond preventing criminal elements from stealing organizational data, it must also include protecting the privacy of employees and client data in your possession.
Even as Kenyans familiarise themselves with this revolutionary law and its implications for cyber-security and data privacy, organizations need to be at the head of this learning curve. It will prove to be less costly to adopt these regulations into your company culture and systems instead of waiting until a lawsuit forces one to not only invest in better data management systems, but also pay hefty fines.
Benard W. Njoroge is the Managing Director of Adrian Group Limited.