Data Protection Act 2019 – How much do you know?
The Data Protection Act 2019 (DPA) was signed into law on the 8th of November 2019.The DPA is almost a mirror image of the European General Data Protection Rules (GDPR) which is one of the strictest data protection legislation globally.
In Kenya the DPA has been in the media mainly over the implementation of a controversial biometric ID scheme known as Huduma Namba. However, the DPA has far reaching implications both for companies and individuals. This article will give you a summary of the main features of the DPA and issues surrounding compliance.
1. What data does data protection apply to?
Any data which uniquely identifies a living person (Kenya ID card, passport number, date of birth, phone number, email address) or ‘sensitive’ data is covered by the DPA. Such person is known as ‘Data Subject’.
2. Who does it apply to?
The DPA applies to Data Controllers and Data Processors (Clause 2 DPA, Article 4 GDPR).
A Data Controller is determines the purpose and means of processing personal data.
A Data Processor processes personal data on behalf of data controller.For example, a telecommunications company with several subscribers engages a mobile money payment company to process mobile money services for its subscribers. The mobile telephony company stores the subscribers’ data through its IT system and provides mobile money services. The telecommunications company is the data controller and the mobile telephony company is the data processor.
3. Eye watering penalties.
Both the DPA and GDPR have severe penalties for breach for data breach:
Under the GDPR there are two tiers of administrative fines that can be levied as penalties for non- compliance:
– Up to €10 million, or 2% annual global turnover – whichever is higher.
– Up to €20 million, or 4% annual global turnover – whichever is higher.Following are examples of some of the highest fines levied under GDPR globally:
– Google LLC – €50 million.
– British Airways – £183 million.
– Marriott International UK – £100 million.
Under the DPA there are there is an administrative fine and a general penalty that can be levied as penalties for non- compliance: Up to KES 5 million or 1% annual turnover – whichever is lower and up to KES 3 million or to an imprisonment of term not exceeding two years, or to both.A “silver lining” is that the penalties have been watered down in the DPA and are not as severe as the one under the GDPR.
However, it is not as simple as it may sound – if you are a Kenya company dealing with an international company (Data Subject) in Europe any breach of the GDPR by Kenya company can be fined under the GDPR!
4. Examples of personal data breaches.
– Access by an unauthorised third party such (For example, ID numbers, phone numbers of third parties clearly visible on the record keeping books on gates of many office blocks);
– Deliberate or accidental action (or inaction) by a controller or processor;
– Sending personal data to an incorrect recipient (use carefully CC to all email):
– Computing devices containing personal data being lost or stolen (hacking and cyber security!);
– Alteration of personal data without permission; and
– Loss of availability of personal data.
5. Lawfulness of processing conditions.
You must have a valid reason before you can process a person’s data – these are known as “lawful basis” or “conditions for lawful processing. The conditions are:
5.1 Consent of data subject OR5.2 Processing is necessary for:
– the performance of a contract.
– the compliance with any legal obligation.
– protect the vital interests of the data subject or another natural person.
– performance of a task carried out in the public interest.
– performance of any task carried out by a public authority.
– the exercise, by any person in the public interest, of any other functions of a public nature;
– the legitimate interests; and
– purpose of historical, statistical, journalistic, literature and art or scientific research.Any processing of data outside of the strict criteria set out herein may lead to severe penalties. Most companies will rely on consent of the data subject for processing their data. However, the consent must be express, unequivocal, free, specific and informed. Therefore, consent cannot be taken by implication or pre-checked boxes.
6. What you must know.
Below are some of the important aspects of the DPA you must know and implement in your daily working practices.
– Data Protection Impact Assessment – The data controller must conduct an impact assessment and to document it before starting the intended data processing, especially when the processing could result in a high risk to the rights and freedoms of individuals.
– Data Portability. A customer has the right to demand the data collected and transfer it over to a new provider, usually within one month. Even if this means transferring to a competitor.
– Right to Erasure – Subject to a few restrictions, a customer has the right to ask for their data to be wiped off the data controller’s system and to make sure that any data which the data controller has shared with a third party does also does so.
– Automated Decision making – There are strict rules around an automated computer-generated decision about the data subject if the decision has a significant or legal effect on the data subject.
– Consent – The consent of a data subject must be freely given, specific, informed and unambiguous under GDPR. This consent can be withdrawn at any time by the data subject.
– Appointment of Data Protection Officer – This is mainly applicable to public companies and large companies which carry out monitoring of individuals on large scale.
7. How to comply with GDPR and DPA.
At the time of writing this Article, the Data Commissioner’s office had not been set up. It remains to be seen how the DPA and its several penalising provisions will be implemented by the office of the Data Commissioner in future.As the saying goes ‘a stich in time saves nine’. Companies and individuals in Kenya have not been given any grace period to comply with DPA. Unlike the GDPR which was adopted on April 2016, and enforceable in May 2018, compliance with the DPA is immediate.It is important organisations seek advice from Data Protection experts and take steps towards ensuring compliance.
Amit Gadhia
Advocate of the High Court of Kenya.
Solicitor of England and Wales (practicing, freelance).
Certified International Privacy Professional-Europe (CIPP/E).
Certified Company Secretary (Kenya).
Corporate Governance Professional (ICSA – UK).
