Data Protection Compliance Tips for Organisations in Kenya

Registration with the Office of the Data Protection Commissioner
No person or organisation must act as a data controller or data processor unless registered with the Data Commissioner. If an organisation has an annual turnover of KES. 5 million and above, and more than 10 employees registration is required. However, an organisation must register if it falls within non-exempt mandatory registration entities irrespective of revenue or number of employees. Here is the link to the list of mandatory registration entities.
Transparency and lawfulness are key
Honesty is of absolute importance when an organisation processes processing personal data. This means clearly explaining to individuals whose personal data is processed, which includes employees, on how their data is collected, processed, shared and eventually disposed. A lawful basis for processing must be identified for each piece of personal data, which basis are prescribed under the Data Protection Act, 2019.
Train your employees
Training employees is key to reducing data breach for any organisation together regular refresher training on ever evolving data protection laws. Random data breach “drills” should be conducted to test appropriate and timely steps to be taken in the event of a data breach.
Limit the collection of personal information
Avoid collecting unnecessary and excessive personal data. This is in compliance with the principle of data minimisation. Review your organisation’s forms which collect personal data and objectively assess whether the data collected is absolutely necessary for processing. “Record and save everything” approach is a sure way to personal data breach.
Protect personal information
The law requires controllers and processors to protect personal data. This includes securing documents containing personal data under lock and key, encrypting mobile devices, laptops, hard drives and USB keys that may contain personal information. Passwords are an important security feature of keeping personal data safe. Regular and mandatory password change requirement must be implemented throughout the organisation.
Communication etiquette
Emails and phone numbers are also personal data. When publishing newsletters or marketing emails via personal emails of individuals, it is best practice to use blind carbon copy (BCC) and not carbon copy (CC). When using messaging apps for chats, an organisation must seek individuals consent before joining them as part of a chat group. This is good communication etiquette and avoids data breaches.
Review your contracts and draft necessary policies
Most contracts which involve processing of personal data do not have adequate data protection compliance clauses. Regular reviews of contracts with your customers, suppliers, vendors are vital in apportioning liabilities in the event of a data breach and helps in reducing the same. Draft relevant data protection compliant policies, train and communicate the policies to employees.
Printing and photocopying
When employees use a shared printer, they must check they have not left anything behind after completing the printing or photocopying. Photocopiers should be kept away from public view and a sign at the printer is a good way of reminding staff to collect all their paperwork. Wireless printers store personal data. When disposing of printers ensure to delete the hard drive of all personal data.
Clean desk habit
Provide employees with secure storage for documents and ask them to lock their screens when they’re away from their desks. This deters revealing unauthorised personal data to others.
Management support is paramount
Data protection compliance is a top-to-bottom approach. A robust data protection framework, funding of data protection projects and cooperation with the regulatory authorities by the executive board should be the backbone of any organisation’s overall data protection governance strategy.