The Data Protection Act was enacted in 2019 to provide a legal framework for the protection of personal data and aims to regulate the processing of personal information in Kenya. The Act requires that all data controllers register with the Data Protection Commissioner. To register, a data controller must submit an application to the Commissioner and pay the prescribed fee. The application should include information such as the name and address of the data controller, the types of personal data being processed, and the purposes for which the data is being processed
The Data Protection Act was implemented to protect individuals’ right to privacy and their personal data from being misused, mishandled, or exploited. With the rise of technology and the increasing amount of personal information being collected and processed, there was a growing concern about the potential risks to individuals’ privacy and security. The implementation of data protection laws and regulations is aimed at ensuring that individuals have control over their personal data and can exercise their rights, such as the right to access their data, the right to correct any inaccuracies, and the right to have their data erased in certain circumstances. Data controllers are required to implement appropriate security measures to protect personal data from unauthorized access, theft, or loss. This helps to minimize the risks of data breaches and cyber-attacks, which can have serious consequences for individuals, including identity theft and financial fraud.
The guidelines for companies to implement data protection laws include the following;
- Appoint a Data Protection Officer (DPO): Depending on the size and nature of your business, you may be required to appoint a DPO. Even if not required by law, having a DPO can help to ensure that your business is taking appropriate steps to protect personal data.
- Conduct a data protection impact assessment: Before collecting or processing personal data, conduct a risk assessment to identify potential risks and impacts on individuals’ privacy. This will help to identify appropriate safeguards and measures to mitigate these risks
- Obtain consent and ensure that individuals have given their explicit consent for the collection and processing of their personal data. This means that individuals must have been informed about the specific purposes for which their data will be used and must have given their consent freely, without coercion.
- Implement appropriate technical and organizational measures to protect personal data from unauthorized access, theft, or loss. This may include measures such as encryption, access controls, and staff training.
- Personal data should only be retained for as long as necessary for the specific purpose for which it was collected. Implement appropriate retention policies to ensure that personal data is deleted or anonymized once it is no longer needed.
- Be transparent about how personal data is collected, processed, and stored. Provide individuals with clear and accessible information about their rights and how they can exercise them.
- Provide training and awareness by ensuring that all employees are trained and aware of the data protection laws and their responsibilities. This includes training on how to identify and report data breaches.
The processing of personal data is exempt from the provision of the Act if is necessary for Public registers, National security, and law enforcement among others. It is important to note that exemptions to data protection laws are generally limited and subject to specific conditions. Therefore, organizations should carefully consider whether any exemptions apply and ensure that they comply with all other aspects of data protection laws.
Non-compliance with the Act can result in fines and penalties, including imprisonment for up to ten years. Therefore, it is important for all data controllers operating in Kenya to ensure that they are registered and fully compliant with the Data Protection Act.
The implementation of the Data Protection Act will have significant positive impacts on society by protecting privacy, increasing trust in businesses, improving data quality, enhancing data security, and increasing accountability.