 Just in 2023 alone, there have been more than six public privacy violation cases with penalties issued by the Office of the Data Commissioner (ODPC) in Kenya. These cases range from the usage of personal data without the express consent of the individuals involved, breach of the legal requirement of notification of the breach to the regulator, illegal acquisition and processing of personal data, and simple spamming of individuals through SMS.
Under the Kenya Data Protection Act (KDPA), there are provisions for penalties and sanctions in case of non-compliance with the data protection regulations. The Act outlines different penalties based on the nature and severity of the violation.
The Commissioner may serve an enforcement notice and a penalty notice requiring the person to pay a penalty of an amount specified in the notice.
An Enforcement Notice is issued to a person or entity that has failed to comply with the provisions of the Data Protection Act, and it specifies the measures to be taken to remedy the situation, the consequences of failure to comply, and the period for compliance.
A Penalty Notice is issued to a person or entity that has failed to comply with an Enforcement Notice after the specified period, and it states the penalty to be paid.
The main penalties specified in the Act include:
- Administrative Fines:Â The maximum penalty for non-compliance with the Act is up to Ksh 5 million or, in the case of an undertaking, not more than 1% of the annual gross turnover of the preceding financial year, whichever is lower.
- Criminal Offenses:Â If found guilty of a criminal offense, individuals will be liable to a fine not exceeding Ksh 3 million or to, an imprisonment term not exceeding 10 years, or both.
The Act identifies certain actions as criminal offenses, including:
- knowingly obtaining or disclosing personal data without authority
- unlawfully altering or destroying personal data, and
- unauthorized re-identification of anonymized data.
- General Penalty:Â A fine not exceeding Ksh 3 million or imprisonment for a term not exceeding 10 years, or both is applicable.
This penalty relates to:
- the failure to register with the Commissioner as a data controller or data processor;
- unlawful disclosure;
- processing of personal data without lawful purpose;
- the sale of personal data and publication of false or misleading information to the Commissioner.
Saccos can avoid these penalties by being responsive to the legal and regulatory demands of the KDPA. Understanding the data privacy principles, requirements and obligations, and functional components of the Act is important for any Sacco before considering starting the journey of KDPA compliance.
Sacco boards and management are ultimately responsible for data protection compliance.
They need to build privacy governance and management, starting with designating a privacy officer, either as a new hire or assigning the privacy responsibilities to a relevant existing employee. Oversee the creation of privacy policies, procedures, SOPs, and other vital governance artefacts. Then, provide support, resources, and personnel to operationalize a privacy program and compliance management.
Good compliance management typically includes these essential functions: awareness training, policy management, gap assessment, data mapping, impact assessments, privacy audit, and others. For Sacco, these activities span multiple departments and involve many stakeholders, internal and external, diverse documentation and data, plus more, making privacy management a challenging endeavour for privacy teams considering the breadth and depth of the work involved.
For Saccos to effectively manage privacy compliance, they need a tool to navigate the complexities involved. Such a tool would simplify the work and reduce the time and cost involved while enhancing the quality of work and management outcomes.
One such tool is the Data Protection Manager (DPM), which automates, centralizes, and streamlines the entire compliance process, leveraging a unified and integrated platform with comprehensive features.
With DPM, your Sacco can better demonstrate compliance with the regulator and stakeholders, reducing regulatory and reputational risks while enhancing trust with members.
Remember, with the regulatory landscape evolving quickly, data compliance will continue to become more complicated and challenging to manage. The only way to NOT go crazy during the tedious compliance process is automation! Don’t let data breaches cost you: prioritize data protection compliance.
Cephas Okoth M. Data Protection Consultant, Yelbridges Ltd.
