Kenya Data Protection Act

Quick Guide
2021
Introduction
Overview

Kenya has promulgated a Data Protection Act…. Transfer of Personal Data Outside Kenya
The Data Protection Bill that has been a subject of discussion for years, was passed into law on 8 November ➢ Every data controller or data processor is required to ensure the storage, on a server or data
2019 when the president assented to it. The Data protection Bill 2019, follows the path taken by the centre located in Kenya, of at least one serving copy of personal data to which the Act applies.
European Union in enacting the General Data Protection Regulation (GDPR) in May 2018 and makes Kenya
➢ Cross-border processing of sensitive personal data is prohibited and only allowed when certain
the third country in East Africa to have legislation dedicated to data protection.
conditions are met or under certain circumstances specified in the Act (Part IV – 48 – 50).
This law was expedited following concerns raised over the Huduma Namba registration exercise, with those
➢ A data controller or data processor may transfer personal data to another country where—
opposed to the process raising concern about the safety of citizen’s personal data collected by the
Government. i. the data controller or data processor has given proof to the Data Commissioner on the
appropriate safeguards with respect to the security and protection of the personal data;
Purpose of the Act
ii. the data subject has given explicit consent to the proposed transfer, after having been
The Act seeks to: informed of the possible risks of the transfer such as the absence of appropriate security
safeguards;
➢ give effect to Article 31(c) and (d) of the Constitution that contain the right to privacy;
iii. the transfer is necessary for performance of a contract.
➢ establishment of the Office of the Data Commissioner;
Exemptions
➢ regulate the processing of personal data, The processing of personal data is exempt from the provisions of the Data protection Act if—
i. exemption is necessary for national security or public order;
➢ provide for the rights of data ‘subjects’; and
ii. disclosure is required by or under any a written law or by an order of the court e.g. Anti Money
➢ obligations of data ‘controllers’ (Person who determines the purpose and means of processing of Laundering (AML) Laws;
personal data) and ‘processors’ (Person who processes personal data on behalf of the data
iii. the prevention or detection of crime e.g. AML/CFT laws;
controller).
iv. the apprehension or prosecution of an offender; or
Data Protection Principles
v. the assessment or collection of a tax or duty or an imposition of a similar nature.
The Act requires Data Controllers and Processors to process data lawfully; minimise collection of data;
restricts further processing of data; requires data controllers and processors to ensure data quality; and Recent Developments
that they establish and maintain security safeguards to protect personal data.
i. Recruitment of the Data Commissioner to head the Office of the Data Protection Commissioner in
Registration of Data Controllers and Processors October 2020 and subsequent vetting by parliament, appointment and swearing in of Ms.
Immaculate Kassait.
The Act requires that any person who acts as a data controller or data processor must be registered with
the Data Commissioner. Therefore, once the office of the Data Commissioner is established, organisations ii. 15 January 2021: Appointment of 14-member task force chaired by Immaculate Kassait to review
meeting the definition of a controller or processor will need to register as such, and renew their registration the Act, identify gaps or inconsistencies in the law, propose any new policy, legal and institutional
every 3 years. framework that may be needed to implement the Act, develop the Data Protection (General)
© 2021 Deloitte & Touche
Regulations and train stakeholders and the public on the said regulations.Kenya Data Protection Act 2
The Big Picture
Key Elements of the Data Protection Act

PENALTIES FOR NON COMPLIANCE DATA SUBJECT RIGHTS

INCREASED TERRITORIAL SCOPE EXPLICIT AND RETRACTABLE CONSENT
Infringement of provisions of the Kenya FROM DATA SUBJECTS Data subjects can request confirmation
Data Protection Act (DPA) will attract a DPA will apply to all companies
Must be provided in an intelligible and whether or not their personal data is being
penalty of not more than KES 5 million or, processing the personal data of data
in the case of an undertaking, not more easily accessible form, using clear and plain processed, where and for what purpose.
subjects residing in Kenya, regardless
than 1% of its annual turnover of the language. It must be as easy to withdraw Additionally, data subjects can request to be
preceding financial year, whichever is of the company’s location.
consent as it is to give it. forgotten, which entails the removal of all the
lower. Individuals will be liable to a fine not data related to the data subject.
exceeding three million shillings or to an
imprisonment term not exceeding ten
years, or to both.

DATA INVENTORY MANDATORY DATA PROTECTION OFFICERS

BREACH NOTIFICATION WITHIN 72 HOURS PRIVACY BY DESIGN
Organizations must maintain a record of Depending on the type of personal data and
Notify the Data Commissioner within Now a legal requirement for the processing activities under its responsibility–or, intensity of processing activities, an
seventy-two hours of becoming aware of a consideration and inclusion of data in short, they must keep an inventory of all organisation may be required to appoint a Data
breach and to the data subject in writing protection from the onset of the designing
within a reasonably practical period. personal data processed. The inventory must Protection Officer to facilitate the need to
of systems, rather than a retrospective include the multiple types of information, such
addition. demonstrate compliance to the Act.
as the purpose of the processing.

© 2021 Deloitte & Touche Kenya Data Protection Act 3

 Impacts to Organisations
The Data Protection Act impacts many areas of an organisation, mainly: legal and compliance, technology, and data.
Legal & Compliance Technology Data

The Data Protection Act (DPA) New DPA requirements will mean Individuals and teams
introduces new requirements and changes to the ways in which tasked with data and
challenges for legal and compliance technologies are designed and information
functions. managed. Documented Data Protection management will be
Many organisations will require a Impact Assessments will be required to challenged to provide
Data Protection Officer (DPO) who deploy major new systems and clearer oversight on data
will have a key role in ensuring technologies that are likely to result in storage, journeys, and
compliance. If the DPA is not high risk to the rights and freedoms of lineage. Having a better
complied with, organisations will data subjects. Security breaches will grasp of what data is
face the heaviest fines yet – up to have to be notified to regulators within collected and where it is
2% of previous year turnover. A 72 hours, meaning implementation of stored will make it easier
renewed emphasis on organisational new or enhanced data security to comply with (new)
accountability will demand proactive approaches and incident response data subject rights –
robust privacy governance. This will procedures. The concept of Privacy rights to have data
require organisations to review how now becomes enshrined in law, with the deleted and to have it
they write privacy policies to make Privacy Impact ported to other
these easier to understand, and Assessment expected to become organisations. This will
enforce compliance. commonplace across organisations over also have an impact on
the next few years. And organisations Third Party vendors that
will be expected to look more into data an organization works
masking, pseudonymisation and with.
encryption.
Chief Risk Officer Chief Information
Security Officer

Chief Technology Chief Information Chief Data Chief Operating

Officer/Chief Security Officer Officer Officer
Compliance Officer Chief Legal Officer Information Officer

© 2021 Deloitte & Touche Kenya Data Protection Act 4

Impacts – Legal and Compliance
Chief Risk & Compliance Officers, Legal Officers, Privacy Officers and Data Protection Officers: Your
privacy strategies, resourcing, and organisational controls will need to be revised. Boardrooms will need
to be engaged more than ever before.
1 2
A Revolution in Enforcement Accountability

Fines up to 1% of prior year annual turnover Proactive approach

Serious non-compliance could result in Enforcement action will
fines of up to five million shillings, or in extend to other countries The will be significant new comprehensive view of their
the case of an undertaking, up to 1% of where analysis on Kenya requirements around data and being able to
its annual turnover of the preceding citizens is performed. But maintenance of audit trails and demonstrate they are
financial year, whichever is lower. how will this play out in data journeys. The focus is on compliant with the Data
Individuals could face fines not practice? organisations having a more Protection Act requirements.
exceeding three million shillings or an proactive,
imprisonment term not exceeding ten
years, or both.
3 4
Data Protection Officers Privacy Notices and Consent

Market hots up for independent specialists Clarity and education is key

Organisations processing with sought-after skills and Organisations should now of consent as one of the
personal data on a large scale experience are currently in consider carefully how they conditions for lawful
will now be required to appoint short supply. construct their public-facing processing, with organisations
an independent, adequately privacy policies to provide more required to obtain ‘freely given,
qualified Data Protection detailed information. However, specific, informed and
Officer. This will present a it will no longer be good enough unambiguous’ consent, while
challenge for many medium to to hide behind pages of legalese. being able to demonstrate
large organisations, as In addition, the Data Protection these criteria have been met.
individuals Act will retain the notion
© 2021 Deloitte & Touche Kenya Data Protection Act 5
5
Impacts – Technology
Chief Information Officers, Chief Technology Officers and Chief Information Security Officers: Your
approach towards the use of technology to enable information security and other compliance initiatives
will need to be reconsidered, refocused and repurposed with costs potentiallyrising.
1 2
Breach Reporting Online Profiling

Breach reporting within 72 hours of detection Profiling & automatic decision-making becomes a loaded topic

Significant data breaches will incident management Individuals will have new rights Automatic decision-making on
now have to be reported to procedures and consider to opt out of and object to issue affecting the privacy or
regulators and in some processes for regularly online profiling and tracking, dignity of a data subject is also
circumstances also to the testing, assessing and significantly impacting direct-to- now regulated. This applies not
individuals impacted. This evaluating their end to end consumer businesses who rely just to websites/platforms, but
means organisations will have to incident management on such techniques to better also to other digital assets, such
urgently revise their processes. understand their customers. as mobile apps, wearable
devices, and emerging
technologies.
3 4
Encryption Privacy-by-Design and Privacy-by-Default

Encryption as means of providing immunity? Recognised best practice becomes law

The Data Protection Act formally this does not mean that The concept of Privacy by Design Technologies (by design) and in
recognises the privacy benefits organisations can afford to and by Default (PbD) is nothing their business-as-usual operations
of encryption. In case of a data be complacent, and the new, but now it is enshrined in (by default). One demonstration
breach, where encryption exemption may not apply when the Data Protection Act. of of PbD is Data Protection
safeguard was adopted, the law weak encryption has been used. Organisations need to build a Impact Assessments (DPIA),
exempts the data controller or Given the potential fines, mind set that has privacy at the which is now required to be
processor from notifying organisations will have to forefront of the design, build and undertaken for new uses of
affected data subjects. further increase their focus on a deployment of new personal data where the risk to
However, robust information and cyber individuals is high.
security regime. Kenya Data Protection Act 6
© 2021 Deloitte & Touche 6
Impacts – Data
Chief Data Officers, Data Stewards, Chief Marketing Officers, and Digital Leads: Your information
management activities have always supported privacy initiatives, but under the Data Protection Act, new
activities are required which specifically link to compliancedemands.
1 2
Data Inventories Right to Data Portability

Identifying and tracking data A new right to request standardised copies of data

Organisations will have to take activities. Data leads will have A new right to ‘data but taken broadly the
steps to demonstrate they to work closely with privacy portability’ means that challenges could be numerous
know what data they hold, colleagues to ensure all individuals are entitled to – amongst them achieving
where it is stored, and who it is necessary bases are covered. A request copies of their data in clarity on which data needs to
shared with, by creating and thorough system for a readable and standardised be provided, extracting data
maintaining an inventory of maintaining inventories needs format. The interpretation of efficiently, and providing data
data processing to be implemented. this requirement is debatable, in an industry-standardised
form.
3 4
Right to be Forgotten Definitions of Data
A stronger right for consumers to request deletion of their data
The concept of pseudonymisation of data

A new ‘right to be forgotten’ is perform wholesale reviews of The Data Protection Act data will be classed as personal
further evidence of the processes, system architecture, expressly recognises the data and subject to
consumer being in the driving and third party data access concept of pseudonymisation of requirements.
seat when it comes to use of controls. In addition, archive data and places emphasis on
their data. Depending on media may also need to be data classification and
regulatory interpretation, reviewed and data deleted. governance. But it remains
organisations may need to unclear if and when certain

© 2021 Deloitte & Touche Kenya Data Protection Act 7

7
Deloitte‘s Approach to the Data
Protection Act

© 2021 Deloitte & Touche Kenya Data Protection Act 8

Approach – Actions to take
Actions to take to prepare for the Data Protection Act (DPA) and other Data Protection Regulations

Data Protection & Data Third

Privacy Impact Processing Party
Assessment Inventory Procedures

Data Protection and Privacy

Privacy by
Transformation Design
Program

© 2021 Deloitte & Touche Kenya Data Protection Act 9

Approach - Actions to take to prepare for the Data Privacy Regulations
Based on a comprehensive DPA readiness roadmap, a tailored transformation program helps organisations prepare
in the optimal way for the Data Protection Regulations

Strategy
A strong starting point determining high level direction and risk appetite, upon which the organisation builds its privacy
Strategy organisation.

Organisation and Accountability

Enabling effective implementation of the privacy strategy requires a strong and multidisciplinary privacy organisational
Organisation and
structure. This covers the structure of the privacy organisation as well as the role and position of key players, such as the
Accountability
Data Protection Officer. This layer also covers accountability; how to prove compliance?

Policies & Policy, process & data

procedures Partnering with the Business to ensure data is protected, governed, managed and utilised effectively in line
Data Data with the organisation’s strategy. Also covers technological challenges such as data access requests, data
Management Transfers retention, right to be forgotten, breach notification and international and 3rd party data transfers.

Communication, Communication, Training, Awareness

Training, Awareness Creating a high level of organisational awareness on privacy ensures that the organisation’s
employees know and follow the rules.

Privacy Operations
Privacy Impact Embedding privacy into the organisations project methodology. This is done by efficient
Assessment and practical guidance during conception of a new or changed product or service (Privacy
Audit Privacy by by Design) as well as assessing new and existing systems following the established Privacy
and Certification Design Impact Assessment method. Also covers audit guidance and readiness for certification
programs and adherence to code of practice in data protection and privacy.
Processing Inventory
Processing Inventory A processing inventory is a fundamental element of any privacy program, and will
be a mandatory requirement following the DPA.

© 2021 Deloitte & Touche Kenya Data Protection Act 10

Contacts

Urvi Patel Julie Nyang’aya

Partner, Risk Advisory Partner, Risk Advisory

Tel: :+254 (0) 720 111 888

Tel: +254 (0) 711 584 007
Email : [email protected]
Email: [email protected]

Rakesh Ravindran Samuel Njoroge

Manager, Risk Advisory Manager, Risk Advisory

Tel: :+254 (0) 790 710 311 Tel: +254 (0) 710 546 333
Email : [email protected] Email : [email protected]

© 2021 Deloitte & Touche Kenya Data Protection Act 11

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and
independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected
network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately
334,800 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional
advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever
sustained by any person who relies on this communication.

© 2021. For information, contact Deloitte Touche Tohmatsu Limited