Introduction
Every year since 2007, various countries around the world come together to celebrate Data Privacy Day, observed on the 28th of January. For Kenya, this day commemoration, spearheaded by the Office of the Data Protection Commissioner, brings together Data controllers, industry players, consumers and businesses. The theme for the 2024 celebration is: ‘Fostering a Culture of Data Privacy 2024!’ It is important to note that the main aim of marking this day initially was to bring together businesses and users and raise their awareness of the importance of protecting their personal information on online platforms, i.e., on social sites. In the recent past however, this initiative has expanded to the promotion of events and activities geared towards encouraging development and compliance with data privacy laws and regulations through various multi-stakeholder engagement activities and approaches.
The Data Privacy Journey in Kenya
The Constitution of Kenya, 2010, guarantees the right to privacy as is set out in Article 31 (c & d). The clamour for privacy became apparent due to growing concerns about the unauthorised collection, use, and abuse of personal information by both government entities and private sector firms. This saw the government establish a Data Protection Taskforce in 2012, comprised of various stakeholders; – academia, civil society organizations, experts, and industry representatives. They were tasked with the development of a data privacy and protection framework for Kenya.
Consequently, the taskforce made recommendations which emphasized the need for legislation which takes into consideration individual rights on the one hand, but also leaves room for innovation and economic growth. Following this development, the Data Protection Bill was presented to Parliament in 2019, and passed into law in November of the same year, as the Data Protection Act. The Act provides for the establishment of the Office of Data Protection Commissioner (ODPC), mandated to oversee data protection in Kenya. This includes enforcing compliance, complaints handling, and imposing penalties for those found in breach.
Data Privacy& Protection for the SME Sector
According to the Act, individuals have the right to see the personal information that organizations hold about them and to ask that it be updated or deleted if needed. Additionally, the Act imposes an obligation on organizations to handle personal data responsibly, which includes getting consent from individuals, putting cybersecurity measures in place to protect against data theft or misuse, and also alerting people (especially those affected) when a data breach occurs.
One of the sectors of the Kenyan economy that heavily collects and collates data and information in their daily operation is the Small and Medium Enterprises (SMEs). Noting that it accounts for over 80 percent of total employment, whose data and information it possesses, it is therefore paramount that sector players put in place the necessary measures to ensure their consumer/customer information is protected from unauthorised access, use, and/or abuse.
The SME sector in Kenya has recently been faced with issues that hinge on the privacy of the data they have. In a policy brief titled ‘Combating Kleptocracy: State of Play in Kenya[1]”, one of the key issues that was identified is the need to “Dispel fears among the business community as to the safety of their information noting the protection by the Data Protection Act 2019.” This emanated from a diverse representation of SMEs who were sceptical as to whether to give their business information which they felt was sensitive, to the registering entity, in this case, the business registration service.
SMEs have immense and untapped potential that they can utilize to position themselves as strategic players in the dynamic landscape of the digital age. In line with challenges related to IT infrastructure and data storage, SMEs should undertake to understand how to securely store their data both locally and in other storage locations at their disposal. In addition, SMEs have not fully embraced policies that fully address privacy and security concerns, which is crucial to help in the accumulation and storage of information. This is exacerbated by the lack of adequate awareness of the provisions of the Data Protection Act, 2019, which the ODPC should embark on forthwith.
Many SMEs also do not have specific departments that are tasked with data management which may be due to budget constraints or lack of trained or expert personnel. It is important to note that the technology world is evolving, which requires SME’s to also shift gears to understand the magnitude and value of big data that they are holding, and how to leverage the same to their advantage, within the provisions of the Act.
Conclusion
As the world marks the Data Protection Day, it is noteworthy that Kenya has made a huge leap in terms of ensuring that the legal and institutional framework for data privacy and protection is in place. This, however, needs to be taken a notch higher in terms of roping in SME sector players, who not only have a massive dataset at their disposal, but also employ many individuals from whom they collect massive information. There is the need to ensure a balance is created between fostering of innovation within the SME sector, versus individual rights, if Kenya is to tap into the immense power of data on the one hand, while ensuring citizens’ privacy is protected on the other. Nevertheless, the spirit and letter of the Data Privacy and Protection Act must be upheld for this end to be achieved.
Photo credits: Freepik
[1]https://ieakenya.or.ke/download/combating-contemporary-kleptocracy-state-of-play-in-kenya/
The Price Control Act of 2011, with its imposition of price ceilings on essential goods, represents a significant intervention in the natural forces of supply and demand that govern a free market. The Act empowers the Minister to control the prices of essential goods, preventing them from becoming unaffordable. The Act outlines a specific mechanism […]
The earliest proposition of fiscal consolidation can be traced back to the Keynesian theory which argues that fiscal austerity measures reduce growth and increases unemployment through aggregate demand effects. According to this theory, government undertaking contractionary fiscal policies of either reducing government spending or increasing tax rates, will eventually suffer a reduction in aggregate demand […]
We recommended (“And then, Floods”) that the Central Bank of Kenya policy rate should be lowered by 300 basis points, from 13 to 10 percent, from August 6. Instead, a reduction of just 25 basis points, from 13 to 12¾, was made on that date. Someone is wrong. Who? In explaining the 25bp decision, it […]
There has been a misconception that when the Finance Bill 2024 was formally withdrawn, all government operations would stop because revenues would not be raised. To understand this misconception, we need to understand what a finance bill is, what revenue-raising measures are, and how that is related to the tax code. A Finance bill is […]
1. Introduction Fiscal decentralisation is a core part of Kenya’s Constitutional order. Fiscal decentralisation is allocating revenue and expenditure responsibilities to lower levels of government. Kenya’s identity as a sovereign republic, as stated in Article 4 of its Constitution, is deeply intertwined with the national value of devolution, emphasised in Article 10. This unique relationship […]
Post date: Mon, Feb 5, 2024 |
Category: Data Privacy |
By: Stephen Jairo, |
Introduction
Every year since 2007, various countries around the world come together to celebrate Data Privacy Day, observed on the 28th of January. For Kenya, this day commemoration, spearheaded by the Office of the Data Protection Commissioner, brings together Data controllers, industry players, consumers and businesses. The theme for the 2024 celebration is: ‘Fostering a Culture of Data Privacy 2024!’ It is important to note that the main aim of marking this day initially was to bring together businesses and users and raise their awareness of the importance of protecting their personal information on online platforms, i.e., on social sites. In the recent past however, this initiative has expanded to the promotion of events and activities geared towards encouraging development and compliance with data privacy laws and regulations through various multi-stakeholder engagement activities and approaches.
The Data Privacy Journey in Kenya
The Constitution of Kenya, 2010, guarantees the right to privacy as is set out in Article 31 (c & d). The clamour for privacy became apparent due to growing concerns about the unauthorised collection, use, and abuse of personal information by both government entities and private sector firms. This saw the government establish a Data Protection Taskforce in 2012, comprised of various stakeholders; – academia, civil society organizations, experts, and industry representatives. They were tasked with the development of a data privacy and protection framework for Kenya.
Consequently, the taskforce made recommendations which emphasized the need for legislation which takes into consideration individual rights on the one hand, but also leaves room for innovation and economic growth. Following this development, the Data Protection Bill was presented to Parliament in 2019, and passed into law in November of the same year, as the Data Protection Act. The Act provides for the establishment of the Office of Data Protection Commissioner (ODPC), mandated to oversee data protection in Kenya. This includes enforcing compliance, complaints handling, and imposing penalties for those found in breach.
Data Privacy& Protection for the SME Sector
According to the Act, individuals have the right to see the personal information that organizations hold about them and to ask that it be updated or deleted if needed. Additionally, the Act imposes an obligation on organizations to handle personal data responsibly, which includes getting consent from individuals, putting cybersecurity measures in place to protect against data theft or misuse, and also alerting people (especially those affected) when a data breach occurs.
One of the sectors of the Kenyan economy that heavily collects and collates data and information in their daily operation is the Small and Medium Enterprises (SMEs). Noting that it accounts for over 80 percent of total employment, whose data and information it possesses, it is therefore paramount that sector players put in place the necessary measures to ensure their consumer/customer information is protected from unauthorised access, use, and/or abuse.
The SME sector in Kenya has recently been faced with issues that hinge on the privacy of the data they have. In a policy brief titled ‘Combating Kleptocracy: State of Play in Kenya[1]”, one of the key issues that was identified is the need to “Dispel fears among the business community as to the safety of their information noting the protection by the Data Protection Act 2019.” This emanated from a diverse representation of SMEs who were sceptical as to whether to give their business information which they felt was sensitive, to the registering entity, in this case, the business registration service.
SMEs have immense and untapped potential that they can utilize to position themselves as strategic players in the dynamic landscape of the digital age. In line with challenges related to IT infrastructure and data storage, SMEs should undertake to understand how to securely store their data both locally and in other storage locations at their disposal. In addition, SMEs have not fully embraced policies that fully address privacy and security concerns, which is crucial to help in the accumulation and storage of information. This is exacerbated by the lack of adequate awareness of the provisions of the Data Protection Act, 2019, which the ODPC should embark on forthwith.
Many SMEs also do not have specific departments that are tasked with data management which may be due to budget constraints or lack of trained or expert personnel. It is important to note that the technology world is evolving, which requires SME’s to also shift gears to understand the magnitude and value of big data that they are holding, and how to leverage the same to their advantage, within the provisions of the Act.
Conclusion
As the world marks the Data Protection Day, it is noteworthy that Kenya has made a huge leap in terms of ensuring that the legal and institutional framework for data privacy and protection is in place. This, however, needs to be taken a notch higher in terms of roping in SME sector players, who not only have a massive dataset at their disposal, but also employ many individuals from whom they collect massive information. There is the need to ensure a balance is created between fostering of innovation within the SME sector, versus individual rights, if Kenya is to tap into the immense power of data on the one hand, while ensuring citizens’ privacy is protected on the other. Nevertheless, the spirit and letter of the Data Privacy and Protection Act must be upheld for this end to be achieved.
Photo credits: Freepik
[1]https://ieakenya.or.ke/download/combating-contemporary-kleptocracy-state-of-play-in-kenya/
The Price Control Act of 2011, with its imposition of price ceilings on essential goods, represents a significant intervention in the natural forces of supply and demand that govern a free market. The Act empowers the Minister to control the prices of essential goods, preventing them from becoming unaffordable. The Act outlines a specific mechanism […]
The earliest proposition of fiscal consolidation can be traced back to the Keynesian theory which argues that fiscal austerity measures reduce growth and increases unemployment through aggregate demand effects. According to this theory, government undertaking contractionary fiscal policies of either reducing government spending or increasing tax rates, will eventually suffer a reduction in aggregate demand […]
We recommended (“And then, Floods”) that the Central Bank of Kenya policy rate should be lowered by 300 basis points, from 13 to 10 percent, from August 6. Instead, a reduction of just 25 basis points, from 13 to 12¾, was made on that date. Someone is wrong. Who? In explaining the 25bp decision, it […]
There has been a misconception that when the Finance Bill 2024 was formally withdrawn, all government operations would stop because revenues would not be raised. To understand this misconception, we need to understand what a finance bill is, what revenue-raising measures are, and how that is related to the tax code. A Finance bill is […]
1. Introduction Fiscal decentralisation is a core part of Kenya’s Constitutional order. Fiscal decentralisation is allocating revenue and expenditure responsibilities to lower levels of government. Kenya’s identity as a sovereign republic, as stated in Article 4 of its Constitution, is deeply intertwined with the national value of devolution, emphasised in Article 10. This unique relationship […]