Karen Member Meet – Soiree // Celebrating Female Founders
April 15, 2021
Ed-Tech Conversations // Improving Access to Education
April 19, 2021
Why your Business must have a Privacy Policy in the New Data Governance Dispensation
Guest Post by Asiri Africa.
Information management has been at the heart of economic growth for decades now. In our current global dispensation data has emerged as the fuel of the Fourth Industrial Revolution (4IR).
The growth of the web and smartphones has led to a surge in digital data created in the last decade alone. Data now includes text, audio, and video information, as well as log and web activity records (Source: Search Data Management)
Following the outbreak of the pandemic in 2020, technology has cemented its position as the main protagonist for people living in the 21st Century. The strict lock-down measures – implemented by various governments across the globe aimed at curbing the spread of the COVID-19 virus – have rapidly accelerated existing trends: e-commerce, at-home entertainment, and also working remotely.
Whereas most industries and sectors were on a steady path towards digitization, studies have shown that these efforts have now been expedited to ensure that businesses and organizations improve on and/or remain visible in the market.
In addition to the enhanced digitization of various industries, data today is seen by many as the most lucrative commodity of the new global economy. Data analytics and self-teaching algorithms are projected to continue to disrupt every imaginable market as well as to create new ones.
With this increased demand for data, governments are putting in place stricter data governance regulations aimed at safeguarding the privacy of their citizens (data subjects) and ensuring that data is collected and processed in line with the universal principles of data protection.
Data Protection Governance
The most recent and notable global step towards safeguarding data privacy was the enactment of the General Data Protection Regulations (the GDPR) in 2016 by the European Union Parliament.
The GDPR is hailed as the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations worldwide, so long as they target or collect data related to people in the European Union. The consequence for non-compliance with the GDPR is harsh fines which will be levied against those who violate its privacy and security standards.
The Data Protection Act No. 24 of 2019
As the heart of East Africa’s technology ecosystem, Kenya has taken a lead in enacting data protection legislation being the Data Protection Act No. 24 of 2019 (the DPA) whose provisions largely borrow from the provisions of the GDPR. The objectives of the DPA are inter alia to:
- regulate the processing of personal data;
- ensure that the processing of personal data of a data subject is in line with principles of data protection;
- protect the privacy of individuals;
- establish the legal and institutional framework to protect personal data; and
- provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with this Act.
In addition to the enactment of the DPA, the government has taken additional steps towards operationalizing this Act. In November 2020, Immaculate Kassait was appointed as Kenya’s first Data Commissioner under the DPA.
Further in January 2021, the Cabinet Secretary in charge of ICT appointed a task force to develop the Data Protection General Regulations which will bring into effect the provisions of the DPA.
Organizations collecting and processing data, known as data collectors and data processors, are obligated to comply with the provisions of the DPA.
What is a privacy policy?
In order to comply with the principles of the DPA, it is our considered opinion that every organization must create and/or update its privacy policies.
A privacy policy can simply be defined as a document that explains what kind of personal information an organization would be gathering from its customers, employees, and or business associates, how such information would be utilized, and how the information will be kept safe.
A privacy policy would also include information relating to data storage, security, and access, details of data transfers, and affiliated organizations.
The contents of a privacy policy may vary depending on the nature of the data collected, the purpose of processing, and the audience to whom the information is directed.
Why do organizations require Privacy Policies?
The DPA has introduced the principle of data protection by design. The privacy by design approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy-invasive events before they happen.
Privacy by design does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred, it aims to prevent them from occurring. In short, Privacy by design comes before the fact and not after.
Organizations that fall under the category of data processors and data controllers shall be required to implement appropriate technical and organizational measures which are designed to proactively implement the data protection principles in an effective manner and to integrate necessary safeguards for that purpose into the processing. Having a privacy policy is the first step towards actualizing this principle.
In addition to the principle of data protection by design and by default, the DPA has also introduced the aspect of obtaining consent from a data subject for purposes of collection and processing of personal information. The DPA has placed such high importance on the consent that data processors and data collectors shall bear the burden of proof for establishing a data subject’s consent to the processing of their personal data for a specified purpose.
Consent under the Act is defined as any manifestation of express, unequivocal, free, specific, and informed indication of the data subject’s wishes by a statement or by clear affirmative action, signifying agreement to the processing of personal data relating to the data subject. Without this consent, a data subject’s information may not be processed. It is therefore important that an organization’s privacy policy include a provision for the data subject to give their consent.
Consequences of non-compliance.
In the event of an infringement of the provisions of the DPA, the offending organization would be liable to pay penalties as prescribed under the Act. The maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to five million shillings (Kshs 5,000,000.00), or in the case of an undertaking, up to one per centum (1%) of its annual turnover of the preceding financial year, whichever is lower. In addition to the monetary fines imposed by the regulator for breach of data privacy provisions, organizations stand to lose valuable goodwill that comes with such violations.
What’s next?
From the foregoing, we have established that data privacy and protection should be prioritized by every business, large or small, regardless of sector. Data collection is now a critical component of all business operations, whether it is client data to perform a simple service or enterprise data to ensure operations of critical infrastructure.
Organizations should therefore invest in the development and/or improvement of their privacy policies in order to avoid the consequences of non-compliance with data protection principles.
O&M Law LLP has a robust intellectual property (IP) department that is well versed with data protection principles and obligations and would be happy to assist clients either in an individual or corporate capacity to safeguard their privacy.
The organization is a member of Asiri Africa – an alliance of professional services firms comprising lawyers, corporate, financial, audit and tax advisors.
Together they have organized a webinar on Intellectual Property (IP) in line with the World Intellectual Property Day theme. Sign up today!
Webinar: The Workshop // Registration & Enforcement of IP Rights Speakers: Patrick Ogola & Andrew Ndikimi Date: Monday 26th April 2021 Time: 11:00 am - 12:00 noon Register Here.
Featured image by Photo by Mati Mango from Pexels
