The Office of the Data Protection Commissioner will be provided with a framework for the accreditation of data protection auditors
The Office of the Data Protection Commissioner (ODPC) will wield the power to conduct compliance audits on certified data handlers in proposed regulations by the ICT ministry, tightening the noose on privacy offenders.
The new regulations, set to further empower the Data Protection Act 2019, come at a time when the ODPC has been on an aggressive drive to enforce compliance and safeguard against data privacy breaches.
In the proposed rules, the ODPC will also be provided with a framework for the accreditation of data protection auditors while retaining the role of overseeing and monitoring audit activities by the accredited firms.
“A data protection audit may be a periodic audit or a special audit. The Office (ODPC) may conduct a data protection audit on its own, outsource the conduct of the audit, or affirm a data protection audit report submitted by an accredited auditor,” reads the draft document in part.
In determining whether to engage an external data protection auditor, the Data Commissioner will weigh the complexity or specialised nature of the audit to establish whether it requires specific expertise, assess internal resources available within the office, as well as evaluate whether outsourcing will be more cost-effective than internal audit execution.
“The Office may recognise an audit that has been privately initiated and conducted by an accredited auditor, subject to the conditions and criteria set out in these regulations,” the rules state.
“An accredited auditor seeking recognition for a privately initiated audit shall submit a request to the Office along with the audit report and any supporting documentation within 30 days upon completion of the audit.”
Persons desiring to be data auditors shall be required to apply for accreditation from the ODPC, which, upon being satisfied that the applicant meets the set criteria, will grant the permit at a Sh150,000 charge.
The accreditation shall remain valid for three years from the date of issuance and renewed for Sh100,000.
An analysis of all privacy breach complaints handled by the ODPC in the first half of this year shows that offensive use of private data, including images and videos, for marketing and commercial purposes without consent attracted the highest conviction rate, which in turn translated to the largest composition of penalties levied.
According to filings on ODPC’s official website, the watchdog handled 26 complaints during the period, 17 of which resulted in convictions. Offenders were ordered to compensate complainants a collective sum of Sh12 million.
