A few weeks ago, I was privileged to join a workshop to discuss the Kenya Data protection bill 2019 and hear learnings from a law firm helping European companies manage the transition to the 2015 General Data Protection Regulation (GDPR).
As mentioned in my recent series of blogs, platforms are getting powerful. One of the things fueling this power is data. Data is becoming a critical part of their business models. The major concern is, what are they doing with all that data? Is your data safe? Do you trust these platforms with your data? Is my data really mine?
That is why we have seen the move by the European Union to implementing the GDPR as an enhancement to their member state privacy laws. In line with the GDPR , many countries have began aligning their privacy laws within the GDPR framework.
Back to the workshop, the first lesson I learned was that there is a between data privacy and data protection. Data privacy regulation is around the regulation to enhance privacy. Data protection is a sub set of data privacy that deals with protecting data from unauthorized use.
In Kenya data protection is handled in several sections of the law:
- 2010 constitution Article 31 and Article 2 that give a right to privacy
- Kenya Information and Communications Act ( KICA) sections 30,31 and 32 that deals with any unauthorized interception of messages in telecommunication network.
- Computer and Cyber crimes Act 2018 sections 11 and 14 which deal with reporting breaches and unauthorized access.
- Data protection bill 2019 which applies to the processing of personal data by organisations.
The Kenya Data Protection Bill 2019 is aligned to the GDPR and follows in developing a similar framework. We have a Data controller who is the one processing personal data of Data Subjects (you and me) who has rights. The Data controller must be registered by the office of the Data Protection Commissioner (similar to the office of the Attorney General or Director of Public Prosecution) which will be a constitutional office under this act.
How the Kenya Data Protection Bill 2019 is expected to work in the real world.
As a company that processes data( IT and Non-IT companies), any type of personal data, you will have to get registered with the office of the Data Protection Commissioner (not another registration!!!) whose role is to oversee the implementation of the law. Your company will be deemed to be a Data controller . As a Data controller you are required to submit the nature of your business, risk matrix on Data Subjects as part of your registration. As a Data controller you can (?supposed) appoint a Data Protection Officer who is tasked to ensure internal compliance to the law.
Here are some things to consider as a Data controller on how to handle the data of Data Subjects
- You should not keep and use personally identifiable data beyond its intended use. For marketing purposes and before transfer of data to a 3rd party, Data Subjects are required to give consent first to the Data controller . Hopefully this no future spamming from
- You should not transfer personal data outside Kenya unless there is proof that another country has adequate data protection safe guards OR consent for the Data Subjects. There was an initial fear around this but this allows the use of services like cloud based IT services. There is a caveat in that the office of the Data Protection Commissioner can prohibit and restrict this.
- A Data controller can overrule a Data Subjects right to processing of their data. This one is a bit tricky. Unlike GDPR that allows the “right to be forgotten” this bill gives more power to the Data controller and this will be interesting to watch as the law gets operational and people get more aware.
- A Data controller has to submit to the office of the Data Protection Commissioner and Data Subjects a notification of breach on personal data within 72 hours.
- Data controllers such as security agencies are exempt from the above regulations with or without the intervention of the court of law ( my interpretation)
As a person sharing your personal data you are now known as a Data Subject ( this is beginning to feel like the matrix). You should know that:
- You have the right to be informed on the intended use of your data and even object to its processing.
- You have right to access your data
- You have a right to the deletion of false or misleading data. Again, the provision for “right to be forgotten” diluted in the bill.
- There are situations where your data can be collected indirectly and your rights above do not play a role.
- You own your data. You have the right to transmit data from one Data controller to another Data controller . This will be interesting in healthcare where portability of your medical records is still not possible as the hospitals ( Data controller ) currently see themselves as custodians of your data.
The initial challenge , I foresee, with these regulations is how to practically process data for your business within the regulations. One suggested way in line with the laws is to separate personal data and the other data points of the Data Subjects. These other data points are still useful to companies and can be anonymised or pseudo anonymised. This makes it difficult for data to be linked to an individual and thus can help the company build processes such as artificial intelligence (A.I) without flouting the regulations. However, I still consider it to be early days on this.
In summary,the data protection bill is a step in the right direction as our lives become more digital. What is not clear is how it plays out once it becomes law. With the law expected to be passed in October 2019, we will find out soon in the next two to three years. This will surely be interesting to watch.
You can find the draft bill here http://www.parliament.go.ke/node/11390