Effectiveness of Kenya’s Data Protection Act (2019)

Executive Summary

Kenya's Data Protection Act requires organizations and businesses to make sure their data handling procedures comply with the law. This study assesses the degree of compliance in the insurance, banking and e-commerce industries, emphasizing successes, difficulties and implications for the protection of customer data. Enhancements include encouraging best practices for data security and protection, offering training and fortifying enforcement measures.

Introduction and Background

The Data Protection Act (DPA) requires data controllers and processors to guarantee legitimate processing, data minimization and the rights of data subjects in order to safeguard personal data and privacy. Fines for noncompliance can reach KES 5 million, which is equivalent to 1% of an organization's yearly revenue. The DPA is enforced by the ODPC in all areas; one noteworthy instance is the KES 4,550,000 fine imposed on an educational institution for publishing pictures of children without the approval of their parents.

Data and Analysis

Compliance with Data Protection in the Key Sectors

Banking Sector

Data policies are being aligned with data protection standards, however there is still room for improvement.

• Data Breach Incidents: Despite advancements, incidents like the unapproved disclosure of customer information have caught the attention of regulators; one well-known bank is embroiled in a Sh1.5 billion data breach litigation.
• Regulatory Framework: The National Payment System Regulations and other guidelines released by the Central Bank of Kenya supplement the Data Protection Act.
• Compliance safeguards: Although banks take the initiative to put data protection safeguards in place, there may be difficulties guaranteeing complete adherence to Act requirements.

Insurance Sector

• Regulatory Audits: To evaluate compliance levels, the Office of the Data Protection Commissioner (ODPC) performs audits.
• Policy Implementation: Due to resource limitations, smaller organizations frequently lag, which affects total compliance.
• Data Protection Act: All data controllers and processors, including insurance businesses, are subject to the Act.
• Compliance Measures: Insurance firms are required to follow guidelines such as getting consent and making sure that data is kept to a minimum.
• Difficulties: It's crucial to handle private and health information.
• The degree of compliance varies; larger companies typically have more robust procedures.

E-commerce Sector

• Data protection gets more difficult when e-commerce grows rapidly, and sharing user data with third parties: Platforms routinely share user information without disclosing it in their privacy policies.
• Consumer Awareness: More explicit user consent and clearer privacy regulations are required when data collection and utilization are opaque.
• Regulatory Framework: The Act's provisions, including those pertaining to cross-border data transfers, must be adhered to by e-commerce platforms.
• Compliance Measures: International operations and the data protection regulations of several jurisdictions present difficulties for e-commerce businesses.
• Consent Management and Data Protection Impact Assessments: E-commerce sites use these data protection and consent management tools.

Key Findings

Overall Impact on Customer Data Security

1. Improved Privacy Protections: The Data Protection Act requires that personal information be handled securely and responsibly.
2. Greater Transparency: Customers are more knowledgeable about how data is used.
3. Better Data Handling Procedures: To lessen misuse or illegal access, organizations adopt better procedures.
4. Regulatory Oversight: Failures to protect data are overseen by the Office of the Data Protection Commissioner.
5. Obstacles and Gaps: Maintaining uniform compliance across all industries is still difficult.

Challenge: Strong data protection procedures are hampered by SMEs' lack of resources, public awareness and technical improvements since consumers are still ignorant and need constant regulation updates.

Recommendations

• Organizations should invest in training initiatives to improve employees' comprehension of data protection regulations.
• Public Education: To better educate the public about their data rights, the ODPC should work with industry stakeholders.
• Frequent Audits: To find and close any possible compliance gaps, entities should frequently carry out internal audits.

References

BOWMANS. (2020). Guide - Compliance with the Data Protection Act 2019: How We Can Help You .  https://www.bowmanslaw.com/wp-content/uploads/2020/02/Guide-Data-Protection-in-Kenya-Digital-2020.03.26.pdf 

Cabinet Secretary for Information, Communication, Technology, Innovation and Youth Affairs. (2021). Data Protection (General) Regulations, 2021. In Kenya Subsidiary Legislation . https://kenyalaw.org/kl/fileadmin/pdfdownloads/LegalNotices/2021/LN263_2021.pdf 

Cipit, & Cipit. (2024, July 30). DATA PROTECTION IN THE KENYAN BANKING SECTOR - Centre for Intellectual Property and Information Technology law -  https://cipit.strathmore.edu/data-protection-in-the-kenyan-banking-sector/ 

Immaculate Kassait. (n.d.). Data Protection Handbook. In ODPC .  https://www.odpc.go.ke/wp-content/uploads/2024/02/PERSONAL-DATA-PROTECTION-HANDBOOK.pdf 

Tejpar, S. (2024, March 8). When Yes Means No – A Look At Kenya's Evolving Data Protection Framework. Mondaq .  https://www.mondaq.com/data-protection/1434252/when-yes-means-no-a-look-at-kenyas-evolving-data-protection-framework ?

OneTrust DataGuidance. (2021). Comparing privacy laws: GDPR v. Kenya Data Protection Act. In OneTrust DataGuidance .  https://www.dataguidance.com/sites/default/files/gdpr_v._kenya.pdf