Data Protection Compliance in 2023

Is compliance with the Data Protection Act, 2019 worth it? This is one of the fundamental questions data controllers and data processors have been asking themselves. In my experience this is partly due to the cost of compliance. Because of economic downturn, many data controllers and data processors have been plagued with cash flow challenges. However, there are data controllers and data processors around the country who are not taking data protection compliance with the seriousness it deserves. Due to this, some data controllers and data processors have found themselves at crosshairs with the Office of the Data Protection Commissioner (ODPC).

At times we forget that the Data Protection Act gives effect to the right to privacy provided for under Article 31 of the Constitution. In this article, I highlight key issues that will shape data protection compliance in 2023.

Functional ODPC

In 2022, the ODPC ensured that it was almost fully functional. Last year, the ODPC indicated that they will be rolling out to the some of the counties. What this will do in 2023 is that it will take ODPC services closer to the people and secondly, it will hopefully create greater awareness of provisions of the Data Protection Act. With a functional secretariat, the ODP has been registering data controller and data processors, receiving complaints from data subjects, investigating violations of the Data Protection Act, and carrying out public education on the right to privacy among other activities.

An operational ODPC secretariat signals that the ODPC in 2023 will be ramping up their oversight mandate and exercising their powers under the Data Protection Act. Ensure you are not caught on the wrong side of the law.

Registration with the ODPC

The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 set out who must register with the ODPC. In early December, the ODPC indicated that just over 1000 data controllers and data processors had registered and issued with a certificate of registration. Considering there are tens of thousands of data controllers and data processors operating in Kenya, the numbers are disappointing to say the least. Failure to register with the ODPC will attract sanctions under the Data Protection Act.

What many data controllers and data processors fail to realise is that the registration process is a start towards compliance. For example, while registering, one is able to undertake a comprehensive data inventory of their data processing operations, identify risks and vulnerabilities, and map out ways to treat any risks identified. These are activities that are integral in setting up a privacy programme; of course, noting that compliance is a process and not an event.

Complaints to the ODPC

Complaints are regulated under the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021. Late in 2022, the ODPC reported to have received over 1700 complaints of violations of the Data Protection Act. Almost half of the complaints were against digital lenders, this led to the ODPC writing to 40 digital lenders to show proof of compliance with the Data Protection Act. A complaint against Agha Khan Hospital led to a notice being issued to the hospital while a complaint against OPPO Kenya led to an administrative fine being issued.

The lesson here for data controllers and data processors is to firstly, ensure compliance with the Data Protection Act. Secondly, set up in house complaints mechanisms and thirdly, respond to notices from the ODPC within the set-out timelines.

Enforcement of the Act

In the notice to digital lenders, the ODPC gave us a glimpse of some of the key issues the Office will be investigating when carrying out audits. Some of the issues that the ODPC is assessing, and auditing include, proof of registration with the ODPC, a record of processing operations, demonstration of implementation of data protection principles, privacy notices, proof of consent where required, privacy policies, proof of safeguards for international data transfers, proof of implementation of technical measures such as privacy by default and privacy by design, documentation of commercial use of personal data, data retention schedules, data controller/data processor agreements/contracts, internal complaints handling mechanisms, and data sharing agreements/contracts.

How many of the above compliance mechanisms have you put in place? Remember the ODPC fined OPPO Kenya Ksh. 5,000,000 for non-compliance with the Data Protection Act. Also note that a data subject may file for damages for financial and non-financial loss occasioned by violations of the Act. The financial exposure to your institution may be way above the Ksh. 5,000,000 set out under section 63 of the Act.

What will be interesting to watch in 2023 is firstly, how the ODPC and the courts will deal with applications for damages. Secondly, how appeals from the ODPC will be handled by the courts. Thirdly, how the ODPC will apply alternative dispute resolution mechanisms to disputes between data subjects and data controllers/processors.

My hope is that in 2023 the ODPC and the courts will create robust jurisprudence with well-reasoned out and comprehensive decisions on matters arising out of the Data Protection Act. This will act as concrete guidance on how to comply with the Act and Article 31 of the Constitution.

Court cases on the right to privacy

There are several pending court cases based on the right to privacy and some touch on the provisions of the Data Protection Act. Decisions in these court cases will shape data protection compliance in 2023. One such pending case is the appeal at the Supreme Court challenging the Communication Authority’s plan to implement the Device Management System (DMS). At the Court of Appeal, an appeal is pending challenging the High Court’s injunction against roll out of the Huduma Namba. The appeal against the operationalisation of the Computer Misuse and Cybercrimes Act is also pending at the Court of Appeal. At the High Court we have a petition pending that is challenging the SIM Cards registration process and another challenging META’s (Facebook) data processing operations.

In 2022 we witnessed some interesting court decision on the right to privacy specific on image rights, abortion, body autonomy, reporting by National Council for Law Reporting, and investigations by statutory bodies such as the EACC. We can only expect richer jurisprudence in 2023.

Appointment of Data Protection Officers (DPOs)

Under section 24 of the Data Protection Act, it is not mandatory for a data controller or a data processor to appoint or designate a DPO. 2022 saw an increase of appointment of DPOs especially in the financial sector, mostly banks, insurance companies, and microfinance institutions (compliance with the Act is higher in the financial sector). I foresee more sectors in 2023 making DPOs part of their C-Suite.

2022 also saw an increased number of Kenyans seeking data protection certifications. In 2023, there will be a wider pool of data protection professionals to offer compliance advisory services.

International Data Transfers

A fully operational ODPC secretariat will start policing how data controllers and data processors are carrying out their international data transfers and whether the transfers are in compliance with the Data Protection Act. Further, more and more countries now have operational data protection regimes. What this means is that Kenyan entities processing personal data across borders must ensure compliance with data protection laws of other countries.

In December 2022, Tanzania enacted a Data Protection Act, Rwanda’s data protection law comes into force in 2023, Nigeria and India are in the process of debating data protection Bills, and the United Kingdom government has placed Kenya among the priority countries for an adequacy agreement. It is high time you put your international data transfer operations in order.

New ICT Cabinet Secretary

We have had a change of guard at the ICT Ministry. C.S. Hon. Eliud Owalo is now at the helm of the Ministry. The CS has roles to play under the Data Protection Act.  What I look forward to in 2023 is a CS who will ensure independence and support to the ODPC.

Conclusion

A lot will shape data protection compliance in 2023. To ensure some basic compliance as a data controller or a data processor ensure you: carryout data protection sensitisation training for all within your institution, create a comprehensive data inventory, develop institutional data protection policies, develop privacy notices, appoint/designate data protection officers, ensure fulfilment of data subject rights, carry out data protection impact assessments where necessary, identify and deal with risks, have robust cybersecurity strategies, put in place incident and data breach management strategies, review your agreements/contracts with data controllers/data processors, and register with the ODPC.

2023 will redefine data protection compliance in Kenya.