Data handling firms face auditing amid complaints
What you need to know:
- Many Kenyans have complained over illegal sharing of personal information and invasion of privacy by marketing firms promoters of products and services.
- Kenya’s Data Protection Act came into effect on November 25, 2019.
Data handling companies including telcos, schools and banks are set to be audited to ascertain compliance with privacy laws amid a resurgence in breaches that have seen some penalised by the Office of the Data Protection Commissioner (ODPC).
The ODPC is scouting for a consultant to conduct the compliance audit across the country.
“The Office of the Data Protection Commissioner intends to competitively engage a consultant to assess the current state of data protection in Kenya including compliance with the Data Protection Act 2019 and the attendant regulations, identify gaps in the implementation of data protection measures, provide recommendations for ensuring compliance and data protection practices and to develop a roadmap for enhancing data protection,” the watchdog said.
Many Kenyans have complained over illegal sharing of personal information and invasion of privacy by marketing firms promoters of products and services.
Commonly stored data by businesses include ID numbers, phone numbers, employee records, customer details, and transactions. Sharing or offering for sale personal data is now criminal and could land culprits terms of up to six months or fines of up to Sh5 million.
Kenya’s Data Protection Act came into effect on November 25, 2019, paving the way for the implementation of laws that govern the collection, processing, and storage of personal information both by the government and the private sector.
Data controllers
Parliament would later enact regulations to enforce the Act in March 2022, which included the Data Protection (General) Regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, as well as the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
The Data Protection Regulations, 2021, which were gazetted in January 2022, require mandatory registration of data controllers and data processors including entities collecting and storing data.They target all public and private entities that deal with personal data including non-governmental organisations insurance firms and churches.
Nine out of the 17 convictions involved unauthorised use of private media files to advertise brands which saw these commercial marketers cough up to Sh8.4 million in compensation to victims, translating to 69.6 percent of the total levied penalties for the period.
Fines
A fashion firm dubbed Accessorize with Style was slapped with a Sh1.5 million penalty on April 22, 2024, after the ODPC found it had breached the privacy of the three complainants.
The trio, Wendy Mwatha, Winnie Wanja, and Annah Mburu, submitted that the enterprise continued with the illegal use of their images for its in-store branding in its multiple outlets long after their contracts had expired. In its verdict, the ODPC found that the firm was in breach of the Data Protection Act which prohibits the commercial use of personal data without express consent from the data subject, before proceeding to award a sum of Sh500,000 to each of the aggrieved parties.