In my everyday interaction with clients working in technology, it is clear that most companies feel disconnected from the hype around data protection when going about their day-to-day activities. Most companies don’t feel that data protection is important until they land an investor who asks them if they are registered with the Data Protection Commissioner’s office or if they are scaling into a Payment Service Provider and the Central Bank of Kenya asks them for copies of their Data Protection Policies.
This is the wait-and-see attitude that most companies have taken when it comes to Data Protection. In recent times, this attitude has come at an increasingly high cost as the Office of the Data Commissioner has fined 3 different companies a total of 15 million shillings for violating data privacy laws. The sums, in the current business environment, can cripple a previously thriving enterprise.
These are 3 things you can do to jump ahead of the curve and become compliant with the Data Protection Act;
1. Have the relevant documentation in place
2. Conduct Staff Training
A team is only as strong as its weakest link. Oftentimes, privacy violations are done by people who are lower in the organization’s hierarchy simply because they are not aware of the legal requirements that relate to Data Protection. This means that it is important to train all your staff on data protection requirements and ensure the knowledge is spread across the organization.
3. Audit your Data & Habits
Sometimes companies have blindspots when it comes to data protection, these are habits that you might not see which could eventually land you in trouble. For example, Oppo Kenya was in a habit of using people’s images for marketing without getting their consent. This could have been a habit that could have been picked by an external auditor and saved Oppo the 5 million shilling fine. An external auditor can be a team comprising a legal professional with expertise in privacy law and an IT specialist with an understanding of the technical aspects of information security.
Have you ever audited how your company uses personal data?