TECHNOLOGY INSIGHTS
Data is the new gold in business
In the new digital economy, data is a crucial driver. It helps organizations make informed decisions and foster positive customer relationships. Organizations, especially in the financial space, have leveraged on data available to understand market conditions better and uncover customers’ purchase patterns. With the increasing data collection and use comes the increased risk of data breaches.Â
Saccos and other organizations need to minimally put data protection measures in place if they want to secure their customers’ trust.
The Data Protection Act (DPA) 2019 was enacted to protect the privacy of individuals and regulate the processing of personal data. Infringement of DPA provisions attracts a hefty penalty – not more than Ksh5 million or, in the case of an undertaking, not more than 1% of its annual turnover of the preceding financial year, whichever is lower.Â
The Act provides further obligations to individuals and organizations that collect and process personal data ensuring privacy and protection are adhered to in the process of doing business. DPA provides a statutory obligation for all entities that process personal data to register with the Data Commissioner, subject to the thresholds set in place by the data commissioner on mandatory registration. The registration of data controllers and data processors commenced on 14th July 2022.
“Data Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of Processing of Personal Data;Â
“Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.Â
In the process of conducting business, Saccos collect, store and process members’ data to inform their decisions. The operation of the Sacco falls in the data controllers category; hence they MUST comply and demonstrate compliance with all the data protection principles and meet all obligations under the DPA. Â
Most Saccos don’t develop their own solutions but outsource services such as Mobile Banking and Agency Banking from vendors. The Act further places the responsibility on the Data Controllers for the compliance of Data Processors contracted to process personal data on their behalf.
Journey to compliance
Registration
The Office of Data Protection Commissioner (ODPC) commenced the registration of Data Controllers and Data Processors on 14th July 2022.Â
The service is available on ODPC E-services Portal https://dataportal.odpc.go.ke, but before registration, it’s paramount for Saccos to determine whether they are a Data Controller, Data Processor or both.Â
If Sacco determines it’s both, separate applications have to be made, which also attracts separate fees. Â
Information required for registration includes;
- Basic information, i.e. Registration details, contacts, DPO contacts etc.,
- Identification of classes and categories of data processed
- List of sensitive personal data processed
- Transfer of personal data outside Kenya
- Risk & safeguards for protection of personal data
- Identification of payment tier – Guided by the number of employees and turnover.
ODPC will issue a registration certificate if all requirements have been met within 14 days. The certificate is renewable every two (2) years.
Key issues to ensure compliance
The data protection principles outline that personal data should be obtained lawfully (freely given consent) in accordance with the right to privacy of the data subjects. The processing of personal data should be lawful, fair, transparent, limited to the purpose, stored for no longer than necessary and not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subjects.
Data Protection Policy
Saccos should develop, publish and regularly update their data protection policy reflecting their personal data handling practices. The policy should reflect the data protection principles outlined in the Act and should be communicated to the relevant stakeholders.Â
Agreement between data controller and data processors
DPA requires that where the data controller is using the services of a data processor, e.g. Sacco taking up M-banking services from a vendor. The parties MUST have a written contract that specifies that the data processor may only act on instructions received from the data controller.Â
In addition, the contract must specify that the data controller’s obligations shall bind the data processor.
Principle of Integrity, Confidentiality and Availability
Saccos will need to assess the risks to the security of personal data and put in place measures to counter the identified risks. Elements of cyber security and business continuity come in place as measures related to access control, security data in rest and motion, and disaster recovery plans in place. Â
Data Protection Officer (DPO)
Saccos will also need to designate or appoint a DPO whose primary role is to ensure that the organization complies with the Act. Given the nature of the job description, it’s paramount for the DPO to have the knowledge and technical skills in relation to data protection. The contact details of the DPO will be communicated to the Data Commissioner.
 DPO services can be outsourced as the Act has provided for groups of entities to appoint a single DPO. Saccos may consider this option given the limited skills on data protection in the Sacco. Their terms of engagement could be extended to operative data protection activities offering more value to the organization.
Saccos should be open-minded when it comes to compliance with DPA. It is not just only avoiding potential penalties but also unlocking hidden reputation and brand value. In the long run, Sacco complying with the DPA will enhance members’ trust and loyalty and open paths to greater innovation and value creation for all stakeholders
The writer Steve Mambo is a Certified Information Security Manager (CISM) with over 14 years of experience in ICT. He has consulted in Cyber Security and Digital Forensics for the financial, manufacturing and insurance sectors. He is currently the Chief Operating Officer, Yell bridges Ltd. [email protected]
