In my everyday interaction with clients working in technology, it is clear that most companies feel disconnected from the hype around data protection when going about their day-to-day activities. Most companies don’t feel that data protection is important until they land an investor who asks them if they are registered with the Data Protection Commissioner’s office or if they are scaling into a Payment Service Provider and the Central Bank of Kenya asks them for copies of their Data Protection Policies.
This is the wait-and-see attitude that most companies have taken when it comes to Data Protection. In recent times, this attitude has come at an increasingly high cost as the Office of the Data Commissioner has fined 3 different companies a total of 15 million shillings for violating data privacy laws. The sums, in the current business environment, can cripple a previously thriving enterprise.
These are 3 things you can do to jump ahead of the curve and become compliant with the Data Protection Act;
1. Have the relevant documentation in place
Rather than wait for a request for inspection by the ODPC or for the CBK to ask you for copies of the relevant documents in place, It is important to stay ahead by preparing the documents which are relevant to your business. For example, if you are an e-commerce company that handles vendors and merchants, you need to have a data protection policy, a privacy policy and a data retention policy that documents how long you intend to retain the person’s data in your possession. You might also need access request forms to enable users to access the personal information that you currently hold.
2. Conduct Staff Training
A team is only as strong as its weakest link. Oftentimes, privacy violations are done by people who are lower in the organization’s hierarchy simply because they are not aware of the legal requirements that relate to Data Protection. This means that it is important to train all your staff on data protection requirements and ensure the knowledge is spread across the organization.
3. Audit your Data & Habits
Sometimes companies have blindspots when it comes to data protection, these are habits that you might not see which could eventually land you in trouble. For example, Oppo Kenya was in a habit of using people’s images for marketing without getting their consent. This could have been a habit that could have been picked by an external auditor and saved Oppo the 5 million shilling fine. An external auditor can be a team comprising a legal professional with expertise in privacy law and an IT specialist with an understanding of the technical aspects of information security.
Have you ever audited how your company uses personal data?
The writer is a lawyer who specializes in offering legal services to people in technology. You can reach him through info@masibolaw.co.ke
