Kenya takes steps to protect personal data – TBEN


Startups processing personal data in Kenya are among the entities required to register with the Office of the Data Commissioner (ODPC) as the East African country implements a law protecting individuals’ right to privacy within its borders.

The registration, which started after the entry into force of the data protection regulations, is mandatory for any company acting as a data controller – defined as a person or entity that determines the purpose and means of the processing of personal data – whether a processor, a company that does not necessarily collect data or control how data is used, but handles it on behalf of another company.

ALSO READ  Amazon's Great Freedom Sale: Apple iPhone 13 for just Rs. 55,850; Incredible iPhone 11, iPhone 12 prices

The data controller or processor is required to disclose the type of personal data they process, their target audiences and the reasons for collecting and storing such data.

While the ODPC grants some exemption based on turnover and number of employees, registration is mandatory for entities providing financial services, those processing genetic data, in the telecommunications sector, property management, patient care, education, transportation, hospitality, gambling, crime prevention and direct marketing.

“Registration is an important part of data protection law compliance as organizations in Kenya cannot act as data controllers or processors unless they have registered with the ODPC,” Data Protection Commissioner Immaculate Kassait said in a statement.

ALSO READ  Amazon Prime Day Sale 2022: Best Deals, Deals and Discounts on Apple Products, Details Here

The new regulations, which provide guidelines for controllers and processors to follow, are intended to give users more power in determining the type of data collected and how it is used.

The law also aims to promote the entry into force of the Kenyan Data Protection Act, which will ensure that companies use customer data lawfully, minimize collected details, restrict the sharing and further processing of data and ensure that people’s data is kept safe.

The regulations, which are related to the EU’s GDPR, also require companies to obtain user consent before collecting data, and to specify their intent for the collection.

ALSO READ  Raksha Bandhan: What is a connected Rakhi and where can you get one?

It also describes that these entities must obtain consent before using the data for commercial purposes. These entities are also required to process the personal data collected through a data server in Kenya or to keep a portion copy within the borders. A company that transfers data abroad can only do so on a number of accounts that also require the consent of the data subject.

Controllers and processors are also obliged to notify the ODPC of a data breach within 72 hours. The regulation further encourages entities to appoint a data protection officer to ensure compliance, and recommends fines and jail terms for violations.


Please enter your comment!
Please enter your name here