The Data Protection (General) Regulations, 2021 and the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 have now come into force following the approval of the Regulations by the National Assembly. Also imminently coming into force are the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
The Regulations are poised to revolutionise the manner in which personal data is processed, by fully operationalising and giving effect to the substantive statue, the Data Protection Act, 2019 (DPA). In this regard, the Regulations set out procedural guidelines that must be adhered to by both data controllers and data processors as they interact with personal data.
We set out an overview of the salient provisions of the Regulations below.
The Data Protection (General) Regulations, 2021
The Data Protection (General) Regulations, 2021 (the General Regulations) seek to promote the digital rights of persons in Kenya and to encapsulate key provisions of substantive statute, the DPA. Some of the salient provisions of the General Regulations include matters relating to consent, commercial use of personal data, data localisation, dealing with data breaches, cross border transfer of personal data, general exemptions amongst others. We have examined these provisions below.
Consent
Under the General Regulations, data controllers and data processors are required to ensure that a data subject has capacity to consent and voluntarily gives consent. Data controllers and data processors are also required to discharge certain obligations such as notifying the data subject of the purposes of processing as well as the identities of the data controllers and data processors in obtaining consent. Practically, this means that if your institution processes personal data, you will be required to ensure that your contractual terms and conditions meet the information obligations prescribed under the General Regulations.
Commercial Use of Personal Data
Under the General Regulations, data controllers and data processors alike are required to seek specific consent from the data subject if they intend to use personal data for commercial purposes. Practically, this means that if your institution operates cookies on its website for marketing purposes, or a loyalty-based programme, you will be required to ensure that the terms and conditions allow for obtaining specific consent from targeted users as to the use of their personal data for commercial purposes.
Data Localisation
Data controllers and/or data processors are required to ensure that they either process personal data through a data server located in Kenya or store one servicing copy in Kenya, if they process personal data for the purposes of strategic interests of the state. Strategic interests of the state include matters such as the administration of civil registration and legal identity management systems and the facilitation of national elections. If your institution carries out such functions, you will be required to ensure that they either process personal data through a data server located in Kenya or store one servicing copy in Kenya.
Cross Border Transfer of Data
Data controllers and data processors may transfer personal data outside the country if the transfer is made on the account of either (i) the existence of appropriate data protection safeguards (ii) an adequacy decision (iii) transfer as a necessity (iv) the consent of the data subject. Therefore, if your institution transfers personal data to any other country on account of its business structure e.g., where the organisation stored data in data centres located in other countries, you will be required to ensure that the transfer of personal data is made on either of the above bases.
Breach and Notification
Under the General Regulations, data controllers and data processors are required to notify the Office of the Data Protection Commissioner (ODPC) within seventy-two (72) hours if the breach poses a real risk of harm to the data subject. This includes instances where the breach has occasioned the unauthorised disclosure of a data subjects full name, password, security codes, access codes among others. Therefore, if your institution has suffered a data breach, you will be required to assess the data breach and determine if the breach posses a real risk of harm to the data subject. If the breach poses such risk, you will be required to make such notifications as prescribed by the DPA including the notification to the ODPC set out above.
The Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021
The Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (the Enforcement Regulations) provide for the modes through which data subjects may submit their complaints to the ODPC. These include the submissions of complaints electronically through emails, web position and complaint management systems or by oral submission. The Enforcement Regulations also provide for the modes through which the ODPC may investigate a complaint including but not limited to issuing summons, oral examinations and requests for documentation.
The Enforcement Regulations also prescribe the manner in which the ODPC may issue enforcement and penalty notices to data controllers or data processors who are found to be in breach of the DPA or any of the Regulations made thereunder.
One of the key aspects of the Enforcement Regulations is the recognition and support of the use of alternative dispute resolution (ADR) mechanisms such as negotiation, mediation and conciliation to resolve complaints, which is derived from Article 159 of the Constitution which enjoins Courts, tribunals and other administrative bodies to promote and support ADR.
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Registration Regulations) aim to give effect to section 18 of the DPA which requires all data controllers and data processors be registered. Under the Registration Regulations, data processors and data controller who have an annual turnover of below KES. 5,000,000 and have less than ten (10) employees will be exempt from the registration requirements.
Notwithstanding the foregoing, if your institution processes personal data for the purposes set out under the third schedule of the Registration Regulations, including business that operate CCTV systems, engage in direct marketing, provide financial services, property management and telecommunications network etc., you will still be required to register as a data controller, data processor or both as the case may be.
The Registration Regulations come into force six (6) months after the date of publication, which is on 14th July 2022. As such if your institution processes personal data, the institution will be required to register as either a data controller or data processor or both, as the case may be.
Please click here to download the alert.
This alert is for informational purposes only and should not be taken to be or construed as a legal opinion. If you have any queries or need clarification as to how the Data Protection Regulations might affect you and/or your business, please do not hesitate to contact John Mbaluto, FCIArb, Deputy Managing Partner ([email protected]), Jacob Ochieng, Partner, ([email protected]), Daniel Okoth, Partner, ([email protected]), Milly Mbedi, Senior Associate, ([email protected]), Nancy Kisangau, Associate ([email protected]) or your usual contact at our firm.