The Case for Embracing Data Protection
Data has become one of the most important assets a business can own, similar to property, or capital. Therefore, the importance of safeguarding personal and sensitive data cannot be overstated. With the establishment of the Data Protection Act and creation of the enforcement body, the Office of the Data Protection Commissioner (ODPC), SMEs are now at risk of committing an offence and facing steep penalties for non-compliance.
Now more than ever, SMEs must embrace data protection, not only to ensure compliance with legal requirements but to also build trust with key stakeholders, mitigate risks associated with data breaches, and enhance overall business reputation. As Kenya continues to evolve its data protection landscape, SMEs must prioritise the protection of personal data to stay competitive and secure in the market.
Data Protection Principles
To begin understanding data protection, we must first explore the key principles that underpin it.
1. Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and in a transparent manner. Data handlers must be expressly clear, open, and honest about the intended use of personal data prior to collection. They must not process the data in a way that would be unduly detrimental to the data subjects.
2. Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
3. Data Minimisation: Only data that is necessary for the purposes stated should be collected. Data handlers must only collect data that is sufficient to fulfil the purpose, relevant to that purpose and the volume should limited to what is strictly necessary.
4. Accuracy: Personal data must be accurate and, where necessary up to date. When required, reasonable steps should be taken to ensure that any inaccurate personal data is erased or rectified without undue delay.
5. Storage Limitation: Data should not be retained for longer than necessary. Once the personal data has become obsolete, can no longer be used for the purpose of processing, data handlers must take reasonable steps to destroy it.
6. Data Transfer: Data should not be transferred outside Kenya to another jurisdiction unless there is evidence of adequate data protection safeguards at the destination or consent from the data subject.
7. Privacy: Data must be processed in accordance with the right to privacy of the data subject.
8. Accountability: Data handlers are responsible for, and must be able to demonstrate compliance with these principles. Data subjects must be able to exercise their data subject rights without being unduly impeded.
Data Controller vs. Data Processor
Understanding the roles of data controllers and data processors is crucial for SMEs. This will serve as the basis for building out a business’s data governance framework as data controllers and processors have differing responsibilities.
Data Controller: This is the entity that determines the purposes and means of processing personal data. Controllers have the primary responsibility for ensuring that data protection principles are adhered to.
Data Processor: This is the entity that processes data on behalf of the data controller. Processors act on the instructions of the controller and ensure the security of the data.
Do You Need to Register?
Under the Data Protection Act, SMEs handling personal data must register with the ODPC. Businesses may be exempted if they meet both of the following criteria:
- Have less than ten employees; and
- Have an annual turnover of under Kshs 5,000,000.
However, businesses that operate in any of the following sectors are not eligible for exemption and must register:
- Political organisations;
- Gambling;
- Education;
- Hospitality industry (excluding tour guides);
- Financial services;
- Crime prevention and prosecution of offenders;
- Direct marketing firms;
- Transport service firms (including online passenger hailing applications);
- Genetic data processing firms;
- Property management companies;
- Health administration and provision of patient care; and
- Telecommunications network or service providers.
The registration process involves providing details about the types of data processed, the purposes of processing, and the security measures in place to protect the data. Applicants must also provide details on their organisation, including establishment documents, contact details of a designated Data Protection Officer (DPO), the previous year’s financial turnover, employee headcount. A registration fee must be paid; however, this will vary depending on the size of the business, annual turnover, and number of employees.
Responsibilities as a Data Handler
Data handlers have several responsibilities, these are as follows:
Data Collection: Ensure that data is collected in a lawful, fair, and transparent manner, with the consent of the data subjects obtained where necessary.
Data Security: Implement appropriate technical and organisational measures to protect personal data from unauthorised access, alteration, or destruction.
Data Access and Correction: Allow data subjects to access their data and request corrections to any inaccuracies.
Data Breach Notification: Data controllers must notify the ODPC and the affected data subjects of any data breaches within 72 hours of becoming aware of them (data processors must report to data controllers within 48 hours).
Data Retention and Deletion: Retain data only for as long as necessary and ensure secure deletion of data that is no longer needed.
Data Localisation: Meet localisation requirements by processing personal data through a data centre in Kenya or by storing and maintaining a copy of the personal data within Kenya.
Practical Steps for Safeguarding Data Protection and Compliance
- Conduct a Data Audit: Identify the types of personal data you collect, process, and store, and map out data flows within your organisation.
- Develop a Data Protection Policy: Create a comprehensive policy that outlines how personal data is handled, protected, retained, and managed within your organisation.
- Implement Security Measures: Use encryption, access controls, and regular security audits to protect data from unauthorised access and breaches, for example, activating two-factor authentication.
- Train Employees: Educate your staff about data protection principles, their responsibilities, and the importance of safeguarding personal data.
- Establish Data Subject Rights Procedures: Set up processes to handle data subject requests for access, correction, and deletion of their personal data.
- Regularly Review and Update Practices: Continuously monitor and update your data protection practices to maintain compliance with the evolving regulations and industry standards.
Conclusion
By taking these steps, SMEs can ensure that they are not only compliant with the Data Protection Act but also foster trust and confidence among their stakeholders. Embracing data protection is not just a legal obligation but a strategic business practice that can lead to sustainable growth and success. At CM SME Club, we offer tailored data protection solutions for SMEs at affordable rates, including in-house DPO services. For further information or support, please contact law@cmsmeclub.com.
Related blogs & news
What is a Power of Attorney (POA)?
Power of Attorney (POA) is a formal instrument by which one person empowers another to represent him or act in his behalf in many matters including transactions for sale of land, registration of intellectual property, filing of lawsuits, signing off on documents, and opening of a bank account among many others. ...
Employee Consultation Before Redundancy
The requirement of consultation is not expressly provided in section 40 of the Employment Act, 2007. However, by dint of Article 2(6) of the Constitution, treaties and conventions ratified by Kenya form part of the law of Kenya. Kenya is a state party to the International Labour Organization (ILO) since 1964 and is therefore bound by the ILO conventions....
Employees Right To Information
The Employment Act, 2007, does not have an express provision on the employees’ right to information. However, Article 33(1)(a) of the Constitution of Kenya, 2010, provides that every person has the right to freedom of expression, which includes freedom to seek, receive or impart information or ideas. Article 35 (1)(b) of the Constitution 2010, further provides that every Citizen has the right to access information held by another person and required for the exercise or protection of any right or fundamental freedom. What information do employees have a right to? 1. Organizational goals and objectives Organizational goals and objectives are easily overlooked in the day-to-day business of getting the job done, but they should be provided, not just to new employees at induction, but to everyone regularly. Reinforcing an understanding of organizational goals and strategy helps employees feel like they are part of the business, which in return leads to improved job performance and engagement. Apart from the emphasis being made by the human resource manager, the line manager too should regularly remind his/her team of the goal and objective of the firm. The line manager together with his/her team may develop their department goals that align with the overall goal of the company. When a department has established its departmental goal, then it means they understand the goal and objective of the company. This in return leads to improved output and increased production. 2. Organizational policies and procedures Most organizations have rules, policies, and procedures that guide how they do things which is important for employees to know and understand. Depending on the company, the policies and procedures may be incorporated in the employee handbook or the human resource manual. How you collate this information is a matter of considering what works for you and the team, but the key is that you must make sure employees are aware of and understand all rules, procedures, practices, or policies with which they are expected to comply. This means they need to be written down somewhere and easily accessible. 3. Organization structure An organizational structure is the way that a company, organization, or team is set up. Every company and team has an organizational structure, even if it’s not formally defined. Organizational structures are important because they help businesses implement efficient decision-making processes and provide a clear org chart that helps businesses keep track of their human resources. Thus, the employees need to understand the organizational structure of the company because it guides all employees by laying out the official reporting relationships that govern the workflow of the company. A formal outline of a company's structure makes it easier to add new positions in the company, as well, as providing a flexible and ready means for growth. An employee who understands the organizational structure will be motivated to know that the company has a growth plan. 4. Feedback on performance Employees need to understand how well they are doing in their roles and what they can improve on. Regular constructive feedback is essential here, and the temptation to only pick them up on things they are doing wrong should be avoided. It is hard for you to do your best without information, and the same is true for your employees. If you withhold information unnecessarily, you will lose your talent. Maybe not today; but eventually those with choices will leave you. What information can be withheld from employees? Never use information withholding as power. If you are given 'secret' information, don't tell people you have it unless they ask you. If people ask you if you have information, be honest. Don't tell them you don't have information if you do. Tell them that you are not at liberty to share, and tell them why, e.g. "I've been asked to keep it confidential and I need to honor that request." If you establish a track record of early, honest information sharing, you will have more room to occasionally withhold information when the situation dictates. Information that should be kept confidential includes any information that could damage a company's reputation or ability to do business if that information becomes public. Such information is proprietary or sensitive. This information includes information whose disclosure is likely to: a. Impede the due process of law and procedures of the company; b. Endanger the safety, health, or life of any person; c. Involve the unwarranted invasion of the privacy of an individual; and/or d. Substantially prejudice the commercial interests, including intellectual property rights, of the company or third party from whom information was obtained. In the words of Sam Walton, Wal-Mart Founder: I guess our greatest technique and our greatest accomplishment is the commitment to communicating with employees in every way that we possibly can and listening to them constantly…you've got to put their interest first, and eventually, it will come back to the company....
The legality of Non-Compete Clauses in Kenya
A non-compete clause is a contractual agreement between two parties, typically an employer and employee, where the employee agrees not to engage in certain business activities that would be considered competitive with the employer's business. The purpose of a non-compete clause is to prevent the employee from working for or starting a business that would compete with the employer during and after their employment....
Why SMEs should use documents drafted by an Advocate for their Businesses
Here are some reasons why SMEs should use documents drafted by an Advocate: 1. Compliance with the Law. SMEs are subject to various laws and regulations. An Advocate can help SMEs navigate the complex legal landscape and ensure that they comply with all relevant laws and regulations. Non-compliance can lead to significant penalties, which can be detrimental to the business....
Share this blogLinkedIn Twitter Facebook Print