Kenya Data Protection Act Quick Guide

2021 Introduction Overview

Kenya has promulgated a Data Protection Act…. Transfer of Personal Data Outside Kenya The Data Protection Bill that has been a subject of discussion for years, was passed into law on 8 November ➢ Every data controller or data processor is required to ensure the storage, on a server or data 2019 when the president assented to it. The Data protection Bill 2019, follows the path taken by the centre located in Kenya, of at least one serving copy of personal data to which the Act applies. European Union in enacting the General Data Protection Regulation (GDPR) in May 2018 and makes Kenya ➢ Cross-border processing of sensitive personal data is prohibited and only allowed when certain the third country in East Africa to have legislation dedicated to data protection. conditions are met or under certain circumstances specified in the Act (Part IV – 48 – 50). This law was expedited following concerns raised over the Huduma Namba registration exercise, with those ➢ A data controller or data processor may transfer personal data to another country where— opposed to the process raising concern about the safety of citizen’s personal data collected by the Government. i. the data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data; Purpose of the Act ii. the data subject has given explicit consent to the proposed transfer, after having been The Act seeks to: informed of the possible risks of the transfer such as the absence of appropriate security safeguards; ➢ give effect to Article 31(c) and (d) of the Constitution that contain the right to privacy; iii. the transfer is necessary for performance of a contract. ➢ establishment of the Office of the Data Commissioner; Exemptions ➢ regulate the processing of personal data, The processing of personal data is exempt from the provisions of the Data protection Act if— i. exemption is necessary for national security or public order; ➢ provide for the rights of data ‘subjects’; and ii. disclosure is required by or under any a written law or by an order of the court e.g. Anti Money ➢ obligations of data ‘controllers’ (Person who determines the purpose and means of processing of Laundering (AML) Laws; personal data) and ‘processors’ (Person who processes personal data on behalf of the data iii. the prevention or detection of crime e.g. AML/CFT laws; controller). iv. the apprehension or prosecution of an offender; or Data Protection Principles v. the assessment or collection of a tax or duty or an imposition of a similar nature. The Act requires Data Controllers and Processors to process data lawfully; minimise collection of data; restricts further processing of data; requires data controllers and processors to ensure data quality; and Recent Developments that they establish and maintain security safeguards to protect personal data. i. Recruitment of the Data Commissioner to head the Office of the Data Protection Commissioner in Registration of Data Controllers and Processors October 2020 and subsequent vetting by parliament, appointment and swearing in of Ms. Immaculate Kassait. The Act requires that any person who acts as a data controller or data processor must be registered with the Data Commissioner. Therefore, once the office of the Data Commissioner is established, organisations ii. 15 January 2021: Appointment of 14-member task force chaired by Immaculate Kassait to review meeting the definition of a controller or processor will need to register as such, and renew their registration the Act, identify gaps or inconsistencies in the law, propose any new policy, legal and institutional every 3 years. framework that may be needed to implement the Act, develop the Data Protection (General)

PENALTIES FOR NON COMPLIANCE DATA SUBJECT RIGHTS INCREASED TERRITORIAL SCOPE EXPLICIT AND RETRACTABLE CONSENT Infringement of provisions of the Kenya FROM DATA SUBJECTS Data subjects can request confirmation DPA will apply to all companies Data Protection Act (DPA) will attract a whether or not their personal data is being penalty of not more than KES 5 million or, processing the personal data of data Must be provided in an intelligible and processed, where and for what purpose. in the case of an undertaking, not more subjects residing in Kenya, regardless easily accessible form, using clear and plain than 1% of its annual turnover of the language. It must be as easy to withdraw Additionally, data subjects can request to be preceding financial year, whichever is of the company’s location. consent as it is to give it. forgotten, which entails the removal of all the lower. Individuals will be liable to a fine not data related to the data subject. exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.

DATA INVENTORY BREACH NOTIFICATION WITHIN 72 HOURS PRIVACY BY DESIGN MANDATORY DATA PROTECTION OFFICERS Organizations must maintain a record of Notify the Data Commissioner within Depending on the type of personal data and Now a legal requirement for the processing activities under its responsibility–or, seventy-two hours of becoming aware of a consideration and inclusion of data intensity of processing activities, an breach and to the data subject in writing in short, they must keep an inventory of all organisation may be required to appoint a Data protection from the onset of the designing personal data processed. The inventory must within a reasonably practical period. of systems, rather than a retrospective Protection Officer to facilitate the need to include the multiple types of information, such demonstrate compliance to the Act. addition. as the purpose of the processing.

© 2021 Deloitte & Touche Kenya Data Protection Act 3 Impacts to Organisations The Data Protection Act impacts many areas of an organisation, mainly: legal and compliance, technology, and data. Legal & Compliance Technology Data

The Data Protection Act (DPA) New DPA requirements will mean Individuals and teams introduces new requirements and changes to the ways in which tasked with data and challenges for legal and compliance technologies are designed and information functions. managed. Documented Data Protection management will be Many organisations will require a Impact Assessments will be required to challenged to provide Data Protection Officer (DPO) who deploy major new systems and clearer oversight on data will have a key role in ensuring technologies that are likely to result in storage, journeys, and compliance. If the DPA is not high risk to the rights and freedoms of lineage. Having a better complied with, organisations will data subjects. Security breaches will grasp of what data is face the heaviest fines yet – up to have to be notified to regulators within collected and where it is 2% of previous year turnover. A 72 hours, meaning implementation of stored will make it easier renewed emphasis on organisational new or enhanced data security to comply with (new) accountability will demand proactive approaches and incident response data subject rights – robust privacy governance. This will procedures. The concept of Privacy rights to have data require organisations to review how now becomes enshrined in law, with the deleted and to have it they write privacy policies to make Privacy Impact ported to other these easier to understand, and Assessment expected to become organisations. This will enforce compliance. commonplace across organisations over also have an impact on the next few years. And organisations Third Party vendors that will be expected to look more into data an organization works masking, pseudonymisation and with. encryption. Chief Risk Officer Chief Information Security Officer

Chief Technology Chief Information Chief Data Chief Operating Officer/Chief Security Officer Officer Officer Compliance Officer Chief Legal Officer Information Officer

© 2021 Deloitte & Touche Kenya Data Protection Act 4 Impacts – Legal and Compliance Chief Risk & Compliance Officers, Legal Officers, Privacy Officers and Data Protection Officers: Your privacy strategies, resourcing, and organisational controls will need to be revised. Boardrooms will need to be engaged more than ever before.

1 2 A Revolution in Enforcement Accountability

Fines up to 1% of prior year annual turnover Proactive approach Serious non-compliance could result in Enforcement action will fines of up to five million shillings, or in extend to other countries The will be significant new comprehensive view of their the case of an undertaking, up to 1% of where analysis on Kenya requirements around data and being able to its annual turnover of the preceding citizens is performed. But maintenance of audit trails and demonstrate they are financial year, whichever is lower. how will this play out in data journeys. The focus is on compliant with the Data Individuals could face fines not practice? organisations having a more Protection Act requirements. exceeding three million shillings or an proactive, imprisonment term not exceeding ten years, or both. 3 4 Data Protection Officers Privacy Notices and Consent

Market hots up for independent specialists Clarity and education is key

Organisations processing with sought-after skills and Organisations should now of consent as one of the personal data on a large scale experience are currently in consider carefully how they conditions for lawful will now be required to appoint short supply. construct their public-facing processing, with organisations an independent, adequately privacy policies to provide more required to obtain ‘freely given, qualified Data Protection detailed information. However, specific, informed and Officer. This will present a it will no longer be good enough unambiguous’ consent, while challenge for many medium to to hide behind pages of legalese. being able to demonstrate large organisations, as In addition, the Data Protection these criteria have been met. individuals Act will retain the notion

© 2021 Deloitte & Touche Kenya Data Protection Act 55 Impacts – Technology Chief Information Officers, Chief Technology Officers and Chief Information Security Officers: Your approach towards the use of technology to enable information security andother compliance initiatives will need to be reconsidered, refocused and repurposed with costs potentiallyrising.

1 2 Breach Reporting Online Profiling

Breach reporting within 72 hours of detection Profiling & automatic decision-making becomes a loaded topic

Significant data breaches will incident management Individuals will have new rights Automatic decision-making on now have to be reported to procedures and consider to opt out of and object to issue affecting the privacy or regulators and in some processes for regularly online profiling and tracking, dignity of a data subject is also circumstances also to the testing, assessing and significantly impacting direct-to- now regulated. This applies not individuals impacted. This evaluating their end to end consumer businesses who rely just to websites/platforms, but means organisations will have to incident management on such techniques to better also to other digital assets, such urgently revise their processes. understand their customers. as mobile apps, wearable devices, and emerging technologies. 3 4 Encryption Privacy-by-Design and Privacy-by-Default

Encryption as means of providing immunity? Recognised best practice becomes law

The Data Protection Act formally this does not mean that The concept of Privacy by Design Technologies (by design) and in recognises the privacy benefits organisations can afford to and by Default (PbD) is nothing their business-as-usual operations of encryption. In case of a data be complacent, and the new, but now it is enshrined in (by default). One demonstration breach, where encryption exemption may not apply when the Data Protection Act. of of PbD is Data Protection safeguard was adopted, the law weak encryption has been used. Organisations need to build a Impact Assessments (DPIA), exempts the data controller or Given the potential fines, mind set that has privacy at the which is now required to be processor from notifying organisations will have to forefront of the design, build and undertaken for new uses of affected data subjects. further increase their focus on a deployment of new personal data where the risk to However, robust information and cyber individuals is high. security regime. Kenya Protection Act © 2021 Deloitte & Touche Data 66 Impacts – Data Chief Data Officers, Data Stewards, Chief Marketing Officers, and Digital Leads: Your information management activities have always supported privacy initiatives, but under the Data Protection Act, new activities are required which specifically link to compliancedemands.

1 2 Data Inventories Right to Data Portability

Identifying and tracking data A new right to request standardised copies of data

Organisations will have to take activities. Data leads will have A new right to ‘data but taken broadly the steps to demonstrate they to work closely with privacy portability’ means that challenges could be numerous know what data they hold, colleagues to ensure all individuals are entitled to – amongst them achieving where it is stored, and who it is necessary bases are covered. A request copies of their data in clarity on which data needs to shared with, by creating and thorough system for a readable and standardised be provided, extracting data maintaining an inventory of maintaining inventories needs format. The interpretation of efficiently, and providing data data processing to be implemented. this requirement is debatable, in an industry-standardised form. 3 4 Right to be Forgotten Definitions of Data

A stronger right for consumers to request deletion of their data The concept of pseudonymisation of data

A new ‘right to be forgotten’ is perform wholesale reviews of The Data Protection Act data will be classed as personal further evidence of the processes, system architecture, expressly recognises the data and subject to consumer being in the driving and third party data access concept of pseudonymisation of requirements. seat when it comes to use of controls. In addition, archive data and places emphasis on their data. Depending on media may also need to be data classification and regulatory interpretation, reviewed and data deleted. governance. But it remains organisations may need to unclear if and when certain

Data Protection & Data Third Privacy Impact Processing Party Assessment Inventory Procedures

Data Protection and Privacy Privacy by Transformation Design Program

© 2021 Deloitte & Touche Kenya Data Protection Act 9 Approach - Actions to take to prepare for the Data Privacy Regulations Based on a comprehensive DPA readiness roadmap, a tailored transformation program helps organisations prepare in the optimal way for the Data Protection Regulations

Strategy A strong starting point determining high level direction and risk appetite, upon which the organisation builds its privacy Strategy organisation.

Organisation and Accountability Enabling effective implementation of the privacy strategy requires a strong and multidisciplinary privacy organisational Organisation and structure. This covers the structure of the privacy organisation as well as the role and position of key players, such as the Accountability Data Protection Officer. This layer also covers accountability; how to prove compliance?

Policies & Policy, process & data procedures Partnering with the Business to ensure data is protected, governed, managed and utilised effectively in line Data Data with the organisation’s strategy. Also covers technological challenges such as data access requests, data Management Transfers retention, right to be forgotten, breach notification and international and 3rd party data transfers.

Communication, Communication, Training, Awareness Training,Awareness Creating a high level of organisational awareness on privacy ensures that the organisation’s employees know and follow the rules.

Privacy Operations Privacy Impact Embedding privacy into the organisations project methodology. This is done by efficient Assessment and practical guidance during conception of a new or changed product or service (Privacy Audit Privacy by by Design) as well as assessing new and existing systems following the established Privacy and Certification Design Impact Assessment method. Also covers audit guidance and readiness for certification programs and adherence to code of practice in data protection and privacy. Processing Inventory Processing Inventory A processing inventory is a fundamental element of any privacy program, and will be a mandatory requirement following the DPA.

Urvi Patel Julie Nyang’aya Partner, Risk Advisory Partner, Risk Advisory

Tel: :+254 (0) 720 111 888 Tel: +254 (0) 711 584 007 Email : [email protected] Email: [email protected]

Rakesh Ravindran Samuel Njoroge Manager, Risk Advisory Manager, Risk Advisory

Tel: :+254 (0) 790 710 311 Tel: +254 (0) 710 546 333 Email : [email protected] Email : [email protected]

© 2021 Deloitte & Touche Kenya Data Protection Act 11 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 334,800 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.