In this privacyespresso we discussed with Janet Othero, Partner at the TripleOk law firm in Kenya, the actual stage of the Kenyan data protection regulation, enacted in 2019.
Over the session, Janet explains how the Kenyan privacy act has been inspired by GDPR, as it contains more or less the same provisions. A notable difference is the presence of a mandatory requirement for all data controllers and data processors to be registered under the Kenyan Data Protection Commissioner. Also, the Act provides the Commissioner with regulatory and supervisory powers, giving it a crucial role in the Act’s implementation.
However, an even more significant distinction with the EU Regulation is that the Act sets up some criminal liability cases. In particular, it expressly held liable the “person” not complying with the data protection provisions, also configuring several years’ imprisonment among the penalties.
So what should companies do to be compliant, then?
Businesses should act immediately to structure at least a minimal compliance level within their organisation, limiting the risks of high sanctions and personal liability. Once that is structured, they will implement the best strategy to minimise all the remaining / “minor” non-compliance issues. It is all about having a good list of priorities needed to get compliant and immediately start from there in order to avoid high risks.
Finally, Janet explains that the Act identifies around 17 “sensitive” sectors specifying that the companies falling into one of these are mandated to register. Those sectors are, for example, the financial, communication, children’s education, and health sectors.
Nonetheless, even companies not falling in the 17 sectors list may still fall under the data protection rules. For this reason, on July 14, 2022, the Kenya Regulator launched a platform on its website that allows firms to check themselves in order to understand if they fall under the regulation. Also, the platform helps companies identify the specific provisions addressing them.