With President Kenyatta’s nomination, in October 2020, of Ms Immaculate Kassait as Data Commissioner and communicating the nomination to the National Assembly for its approval, it appears to be only a matter of time before the office of the Data Protection Commissioner is staffed, and the Data Protection Act of 2019 operationalized.
The office of the Data Protection Commissioner is a body corporate under the DP Act, headed by the Data Commissioner as its head and consisting of other staff appointed by the Data Commissioner. The Data Commissioner is responsible for overseeing the implementation and enforcement of the Act.
The DP Act requires data controllers and data processors to be registered by the Data Commissioner. Data processing is defined as almost any activity that involves manipulating any personal data, including collecting, recording, storing, retrieving, disclosing, consulting, recording it. A data controller is a person who determined the purpose and means of processing personal data.
By definition, practically all companies, organisations and institutions in Kenya are data processors or data controllers, making the registration of data processors and controllers essentially an additional step/process to ‘doing business in Kenya’. Helpfully however, the DP Act mandates the Data Commissioner to prescribe thresholds required for mandatory registration of data controllers and processors.
We surmise that this, and the enforcement of The Registration of Persons (National Integrated Identity Management System) Rules 2020 (‘Huduma Namba Rules‘) will be among the first order of business for the Data Commissioner.
Given the factors the Data Commissioner is required to take into account in determining which data processors or controllers will be exempted from registration under the DP Act, it is likely that SMEs not dealing in sensitive personal data (like health data, biometric data) will be burdened with the requirement to register with the Data Commissioner. Notably non-registration will not exempt a data processor or controller from the requirements of the DP Act, and it is advisable that SMEs, like large organisations, start to comply with the requirements of the rights and principles based DP Act.
In a series of subsequent articles posts, we shall analyse how organisations can comply with the provisions of the DP Act, setting out various compliance requirements of the DP Act and offering proposals on the manner of complying with these requirements, not only to avoid the penal sanctions and administrative fines under the law, but more so to demonstrate that businesses that will be compliant will gain a competitive advantage by so complying.
Photo by Towfiqu barbhuiya on Unsplash