Last week, I attended an ongoing training on cybersecurity. The training is unpacking what has been termed as the 5Ws of Cybersecurity and it is sponsored by the U.S. Embassy Nairobi and implemented through the Sochin Research Institute.
The most interesting part of the training concerned Kenya’s Data Protection Act and what it means for businesses. As the session kicked off, it was obvious that the majority of Kenyans, within and without the room, had no idea of what the Data Protection Act is all about.
For those who are still in the dark, over the last few years there has been a lot of talk about the need to legislate on the right to privacy and data protection in Kenya. This emanated from the fact that Kenyans’ personal data was never safe in the hands of the government or corporations.
The proponents of the legislation hoped that such a legal measure put in place would deal with unfettered surveillance capitalism, protect citizens against unwarranted state surveillance, and offer a reasonable level of privacy to all. The question that remains, however, is whether citizens really understand their rights and how the enforcement of their rights will be enacted.
There are many schools of thought on how the Act is going to impact businesses. Some say the Act is good for business while some, like me, feel the Act is going to impact negatively on businesses. Why? For entities engaged in the business of big data or profiting from surveillance capitalism, a law defining the right to privacy and data protection only spells doom for their profitability. This is because, initially, the unregulated data governance environment seemed the less expensive option for businesses.
“The enactment of the Data Protection Act is a great win for the data subject, especially in terms of the implementation of Article 31 of the Constitution. It, however, portends huge compliance requirements for the data processor, or data controller, and I predict a paradigm shift in how personal data is handled,” said Kennedy Murunga Murere, an Advocate of the High Court of Kenya and a founding partner at MAW Advocates LLP. Mr. Murunga made these comments during a public speaker event at the American Space Moi University. These monthly speaker events are part of the 5Ws of Cybersecurity project that also includes monthly training sessions.
According to Mr. Murunga, the Data Protection Act was enacted to give effect to Articles 31(c) and (d) of the Constitution of Kenya which guarantee the right of every person not to have “information relating to their family or private affairs unnecessarily required or revealed” and the right not to have “the privacy of their communications infringed”.
The Act, he said, seeks to regulate the collection, retrieval, processing, storing, use and disclosure of personal data, which prior to, Kenya did not have a specific data protection legislation.
For businesses, in order to be on the safe side of this law, it is important that they create a culture of data protection not just for personal data that is regulated under the Act, but also for data that relates to business operations, trade secrets, financial data, human resource, amongst others. Businesses will have to ensure that all employees are well versed with the law and play an integral part in its implementation.
“Under this law, businesses should consider internalizing the law through institutional data protection policies that will bind all staff, employees, and agents. Such policies would form part of the employment/service contracts offered by the business. This provides a somewhat higher level of commitment toward data protection.”
“The Act is a significant milestone; it is a testimony to the country’s commitment to being one of the continent’s leaders in promoting innovation and at the same time. It recognizes the fundamental importance placed on protecting the personal data of individuals,” said Mr. Murunga.