What Data Protection Law means for Saccos
Savings and Credit Co-operative Societies (Saccos) need to build foundations that will enable them to innovate operations and governance to establish a resilient digital transformation.
According to a recent Sacco Cybersecurity Report 2020/2021, released by Serianu Ltd, organizations are no longer buying hardware, software, or a service, but are buying knowledge, processes, capacity, and empowerment.
Serianu indicates that Saccos are heavily reliant on vendors for key services and in turn attackers have continuously exploited the loopholes that exist within the vendor management process.
“There needs to be a shift in relationship model from “buyer-seller” to that of a partnership between the Sacco and the vendor.”
The report shows that Saccos are increasingly investing more resources in technology and security, but some are still unprepared for data protection law.
At the same time, Serianu noted that Saccos are increasingly being targeted by attackers especially on Sacco mobile transaction infrastructure.
However, the percentage of Sacco’s that have a cybersecurity strategy improved from 38% in 2019 to 55% in 2020. The cybersecurity budget within the Sacco sub-sector in the last three years increased by 20 percent according to the report.
What Data Protection Law means for Saccos
The Data Protection Act, 2019 provides a legal framework on personal data usage, especially on digital platforms, which brings several changes in the business environment. The law spells out several requirements that must be put in place when handling another’s personal data, including processing and profiling.
The law requires Saccos to seek consent from members before transferring their personal data to other third parties, a Sacco offering automated loan processing is required to provide meaningful information about the logic involved to its members and must ensure that a member has given consent prior to sharing marketing materials.
Members are also legally allowed to request their Sacco to share their data with another Sacco, while the Sacco is expected to report data breaches affecting its member’s personal data to the Data commissioner within reasonable timelines.
Saccos will also be required to have an in-house data protection officer depending on their size and volume of personal data handling.
Saccos that fail to comply with the law risk a Ksh 5 million fine or 10-year imprisonment for officials.