LEGAL ALERT: Kenyan Data Commissioner Issues New Draft Data Protection (General) Regulations, 2021

LEGAL ALERT: Kenyan Data Commissioner Issues New Draft Data Protection (General) Regulations, 2021

Posted on April 19th, 2021

The Kenya Data Protection Act, 2019 has been in force for over one year.  Our in-depth analysis of what the provisions of the Act, 2019 mean for your business can be found here. The first Data Commissioner was appointed in November 2020.  After her appointment, she commenced the formalities of setting up the office and now that things have settled down, we are closer to seeing the regulator flex muscle as they commence enforcement of the provisions of the Act.

Due to the varied interpretation of the provisions of the Act, it was necessary for the privacy regulator to issue follow-up regulations and guidelines. These are aimed at issuing further guidelines on the implementation aspect of the provisions of the Act. The regulations also contain the official forms to be used as required by the Act.

Last year, the DC’s office issued the following guidelines which can be found here;

  1. Data Protection Impact Assessment (DPIA) guidelines
  2. Guidance Note on Consent
  3. Complaints Management Manual

In April 2021, the office issued these further draft guidelines which are now subject to public participation before adoption;

  1. The Data Protection (Compliance & Enforcement) regulation, 2021;
  2. Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021; and
  3. The Data Protection (General) Regulations, 2021.

These draft regulations are timely since, in the last year, data controllers and processors have adopted different ways of implementing this Act in their business procedures to achieve some sort of compliance. This is because the Act became enforceable immediately upon its enactment unlike the EU General Data Protection Regulation (https://gdpr-info.eu/) which became enforceable two years after its adoption.

We shall issue several articles analyzing the specific regulations. This Article reviews the Data Protection (General) Regulations 2021.

What should you expect?

The Data Protection (General) Regulations 2021 provide the ‘how’ of complying with the provisions of the Act. They are applicable to data controllers and processors except civil registration entities specified under the Data Protection (Civil Registration) Regulations. Some of the key provisions include:

1. Part II – Enabling the Rights of a Data Subject

This part makes provisions for enabling the digital rights of a data subject including consent, collection of data, erasure, rectification and even the right to data portability.  Accordingly, data controllers and data processors must ensure strict compliance. Any non-conformity may lead to breaches or citations which may result in reputational or financial losses to the business.

Some of the key provisions include:

  Regulation   Particulars  Action to be taken by Controllers or Processors
(Reg 4) Consent by Data Subject   Subject to Section 32 of the Data Protection Act which provides for the conditions for consent, the General Regulations require the data controller/processor to inform the data subject of the nature and scope of personal data to be processed as well as the reasons for processing the required personal data; and whether the personal data processed shall be shared with third parties.     Put in place mechanisms to verify the subject’s capacity to understand and communicate their consent and ensure it is given voluntarily. Communicating the nature of processing must be in simple and clear language that is understandable.   Design solid consent mechanisms into your business processes.   This may involve an enhancement of your technology infrastructure or re-designing to track the data subject journey and accommodate valid consent mechanisms.   May require training of staff to create internal awareness.
(Reg 5) Collection of Personal Data   Pursuant to Section 28 of the Act, the General Regulations require a controller/processor to collect personal data permitted by the subject while undertaking steps to not only ensure the quality of personal data but also take steps to secure personal data. Where the collection is about sensitive personal data, collected directly from the subject.     To reduce the likelihood of liability in case of a breach, it may require an enhancement of the current technology that safeguards data.   This implies that controllers/processors must put in place technical measures that guarantee the protection of personal data. There is a need for businesses to adopt data security measures such as data encryption, the use of strong passwords and firewalls to shield themselves from breaches. Read Legal Issues to consider when developing digital Apps and services.
(Reg 8) Data Access Request  The General Regulations make provision for data access requests although it provides instances where access may be denied, which reasons are mostly security-based.   To demonstrate compliance, design and document a response to data subject request procedures and ensure that they are embedded in the data protection policy and designed into the existing business processes to honour the timelines required by the Act.   Consider safeguarding your existing intellectual property rights like preservation of trade secrets and determine what information cannot be accessed or released. Put in place electronic or manual mechanisms for the subject to access personal data.   Consider the security of systems to allow for such 3rd party access.   
(Reg 10) Data Portability A data controller/processor is required to comply with a request for portability within 30 days from the date of receipt of the request. The General Regulations allow for a payment to be made but such payment must be reasonable and should not exceed the actual cost incurred to actualize the request. To demonstrate compliance, design and document a response to data subject request procedures and ensure that they are embedded in the data protection policy and designed into the existing business processes to honour the timelines required by the Act.   Consider intellectual property rights like the preservation of trade secrets and determine what information cannot be accessed or released. Read our review of the Intellectual Property Bill here. Consider the financial implication of media that will be used to facilitate data portability whether manual or electronic and compatibility of such.
(Reg 9) Right to Rectification and (Reg 11)  Right to Erasure  Pursuant to section 40 of the Act, the General Regulations allow for erasure in certain instances including where the processing of personal data is for direct marketing purposes and the individual objects to that processing. This is in addition to where consent is withdrawn, the purpose for collection has been served or the subject objects to processing with no overriding legitimate interest. On the other hand, a rectification request should be effected within 7 days of receipt of the request.      In order to demonstrate compliance, design and document a response to data subject request procedures and ensure that they are embedded in the data protection policy and designed into the existing business processes to honour the timelines required by the Act.   A controller/processor should therefore now be conscious of their data storage mechanisms and systems to ensure that they are accessible to authorized staff who would ensure that request for erasure are effected within a reasonable time.    

2. Part III – Restrictions on the Commercial Use of Personal Data

(Reg 13) Modes of Direct Marketing   Pursuant to Section 37 of the Data Protection Act, marketing is not direct if personal data is not used or disclosed to identify or target particular recipients.   Marketing for commercial purposes includes where a controller/processor; – sends a catalogue through any medium addressed to a data subject. displays an advertisement on an online media site a data subject is logged on using their personal data, including data collected by cookies, sends an electronic message to a data subject about a sale, or other advertising material relating to a sale, using personal data provided by a data subject.   Re-design consent mechanisms to cater for clear opt-in and opt-out and reduce bundled consent.   Establish up-to-date marketing preference registers to always reflect the data subject’s preferences and always reflect their choice.   Evaluate the legal basis of sending direct marketing information to a data subject. E.g. where the controller can rely on a soft opt-in.   Evaluate any data scrapping policies and engagements in place to ensure conformity.
(Reg 14, 15, 16 & 17) Permitted Commercial Use of Personal Data A controller or processor can use personal data, other than sensitive information for the purpose of direct marketing only if data was collected from the subject and the subject has consented to direct marketing or where the controller/processor has provided a simple opt-out mechanism and the subject has not made an opt-out request. The General Regulations allow nominal costs.   The General Regulations provide different ways of complying with the opt-out option and also allow the controller/ processor to use an opt-out mechanism that provides a data subject with the opportunity to indicate their direct marketing communication preferences, including the extent to which they wish to opt out.     Re-design consent mechanisms to cater for clear opt-in and opt-out and reduce bundled consent.   Establish up-to-date marketing preference registers to always reflect the data subject’s preference and always reflect their choice.   Evaluate the legal basis of sending direct marketing information to a data subject. E.g. where the controller can rely on a soft opt-in.   Businesses will need to evaluate their opt-out mechanisms to align them with the regulations. They need to ensure that these opt-outs are visible with a clear and easily understood explanation of how to opt-out, a simplified method of opting out as well as provide a direct and accessible communication channel.

3. Part IV — Obligations of Data Controllers and Data Processors

(Reg 18) Retention of Personal Data     The General Regulations require a controller/processor to establish a personal data retention schedule with appropriate time limits considering purpose, period, provision of periodic audit of data retained and actions to be taken after the audit. This is pursuant to Section 39 of the Data Protection Act.   Design a solid Privacy policy, and data retention policy and embed it in the data protection policy.   Train staff to create awareness and ensure all business units are aligned. Read our analysis of why today’s CISO and CIO must be aware of the provisions of the Act here. Establish guidelines on how to erase or anonymize personal data upon the lapse of the purpose for which the personal data was collected.   Consider the various exemptions to deletion of data as well as other legislation on periods of retention.    
(Reg 20) Sharing of Personal Data   Subject to Section 25 of the Act which provides for the principles of data protection and Section 55 which makes provision for a data-sharing code, a controller/processor can share or exchange personal data collected by it, upon request, by another controller, processor, third party or data subject. The General Regulations also provide instances of permitted data sharing which includes providing personal data to a third party, providing a third party with access to personal data on the data controller’s information systems and receiving personal data as a joint participant in a data sharing arrangement.   Businesses should engage advocates to assist them to draft data drafting data-sharing agreements that would govern how data is shared and the obligations of the recipient to ensure the protection of personal data.   Businesses need to look at their information systems set up to accommodate such activities.
(Reg 21) Automated Individual Decision Making The General Regulations provide the guidelines for making automated decisions pursuant to Section 35 of the Act. This includes providing meaningful information about the logic involved.     Have a proper guideline that explains the significance and envisaged consequences of the automated decision-making process. Ensure to use of appropriate mathematical or statistical procedures, put appropriate technical and organizational measures in place to correct inaccuracies and minimize the risk of errors.   Ultimately, businesses should process personal data in a way that prevents discriminatory effects.   Consider the human interface in the process.  
(Reg 22) Data Protection Policy   The General Regulations make it mandatory for a controller/processor to publish and regularly update a policy reflecting their personal data handling practices.   The policy should at a minimum include the nature of personal data collected and held; how a data subject may access their personal data and exercise their rights in respect to that personal data; complaint handling mechanisms; a lawful purpose for processing personal data; obligations or requirements to transfer personal data outside the country, to third parties, or other controllers or processors located outside Kenya; the retention period and schedule discussed at clause 10 above; and the collection personal data about a vulnerable segment of the community, including children, and the criteria applied.   Since policies cannot be one size fits all, it is necessary for businesses to evaluate the lifecycle of data once collected and their data processing activities to ensure that the policy addresses all instances of processing. The policy will instil confidence in data subjects/business partners as to the privacy and protection of the personal data they share.   Privacy policies must be alive and in tune with the strategy of the business as well as the sector they operate.
(Reg 23, 23 & 24) Agreement between Data Controller and Data Processor   The General Regulations allow for a controller to engage a processor through a written agreement.   A data processor is obligated not to deal with third parties except where authorised by the controller and remains liable to the controller for compliance with the third party.       Businesses should therefore aim to ensure that any data processing agreement includes processing details, written instructions of the data controller, processor’s obligation of confidentiality, security measures to keep personal data secure, deletion of data as well as auditing and inspection provisions by the Controller.   Businesses must also align the agreements with the requirements of the regulations as to what specified processing must be done in Kenya. This will prevent instances of breach which may result in reputational damage and subsequent losses to the business. For instance, processing with regard to managing any system designated as a protected computer system in terms of section 20 of the Computer Misuse and Cybercrime Act, 2018 must be done in Kenya. Read our review of this Act here.

4. PART V⸺Elements to Implement Data Protection by Design or by Default

(Reg 26 & 27) Data Protection by Design or Default   Pursuant to Section 41 of the Data Protection Act, the General Regulations require a controller/processor to establish data protection mechanisms, under both the Act and the General Regulations, with privacy embedded in the processing of personal data throughout its life cycle which must also reflect the Principles of data protection.   Businesses must be seen to embed data privacy mechanisms in their operations and not just on paper or policies. Their services and products must entrench privacy.
(Reg 28, 29, 30, 31, 32, 33 & 34) Elements for Data Protection Principles The General Regulations proceed to set out elements for each principle that may be included in the data protection by design or default.   The particular principles provided for include;   The General Regulations prescribe necessary elements that controllers and processors may adopt to ensure data protection is embedded in processing throughout the life cycle.   Practically, businesses should first ensure that their policies are updated and assign someone to be responsible for data protection. This will demonstrate their commitment to privacy to both regulators and customers.   When developing systems and processes for handling data, businesses should be forehand to contemplate privacy risks and take steps to minimize or eliminate such risks by building these steps into the system. Businesses must therefore aim at being preventive; not remedial.

5. PART VI⸺Notification of Personal Data Breaches

(Reg 35) Categories of Notifiable Data Breach A breach is taken to result in real risk of harm to the subject where the breach relates to; the data subject’s full name or identification number or the data subject’s account identifier, such as an account name or number; and any password, security code, access code, response to a security question, biometric data or other data that is used or required to allow access to or use of the individua l’s account.     There is therefore need for businesses to adopt data minimization by collecting only what is necessary to serve the purpose of collection. This mitigates the volume of exposure to personal data.   Additionally, there is a need to restrict access to personal data to reduce instances of breach.     Businesses should ensure that in data processing arrangements internally or with third parties the notification processes to the controller/data subject are alive to practical scenarios. 
(Reg 36) Notification to Data Commissioner  Pursuant to Section 43 of the Act, the General Regulations set out the particulars that a notification of breach to the Data Commissioner should include such as the date on which the controller/processor first became aware that the breach had occurred, a chronological account of steps taken after becoming aware, the personal data affected, number of data subjects affected and the potential harm to be affected by the data subjects.   Controllers/processors must therefore be keen to establish guidelines that inform the process of notification within the required statutory time of 72 hours as provided for in Section 43(1)(a) of the Act.   Controllers/ Processors can have automated processes of reporting breaches within these provisions.

6. PART VII⸺Transfer Of Personal Data Outside Kenya

 (Reg 38, 39, 40 & 41) Transfer of Personal Data Outside Kenya Pursuant to Sections 48 & 49 of the Data Protection Act, the General Regulations require a controller/processor as a transferring entity of personal data, to ensure that the recipient is bound by a standard of protection comparable to that in our Act and the General Regulations. In addition to this, the subject must consent to the transfer of their personal data. A country is taken to have safeguards if the country has:            

7. PART VIII—Data Protection Impact Assessment

(Reg 42, 43, 44 & 45)   Data Protection Impact Assessment – Processing Activities and Assessment Reports  In line with Section 31 of the Act, the General Regulations make provisions for processing operations taken to constitute high risks and that shall require conducting a data protection impact assessment before processing. The list includes processing biometric or genetic data, processing sensitive personal data or data relating to children or vulnerable groups among other high-risk processing. The General Regulations also provide for a template to be used where a DPIA is required.   In some instances, the controller/processor may consult with the Office of the Data Commissioner for advice. The Office having reviewed the DPIA report may make recommendations to guide the processing.   Pursuant to section 23 of the Act, the Data Commissioner may also carry out periodic audits to monitor compliance with assessment reports.   DPIAs are going to be an ongoing requirement for businesses from an initial perspective and when new digital services/products are being implemented.   Businesses must therefore have in place an audit system to assess the high-risk processing operations. They must also undertake and prepare assessment reports setting out security measures taken to ensure the right to privacy is respected.   Noting that some controllers are separately regulated where risk audits are a requirement, there may be a need to ensure that sector-specific guidelines are issued as to the different DPIA formats to be adopted.

Conclusion

One thing of importance to note is that the General Regulations allow a controller/ processor to apply for exemption from certain provisions of the Act where they process personal data for national security or on grounds of public interest pursuant to Section 51(2)(b) of the Act.

About offences, the General Regulations allow the Data Commissioner to compound offences under Section 58 (8) and Section 74 of the Act (these are offences that relate to non-compliance with directions of the regulator’s office) to make an order for the payment of a sum not exceeding two-thirds of the maximum fine that would otherwise have been imposed upon conviction. This continues to prove how costly non-compliance with the Data Protection Act 2019 and General Regulations would be for businesses. The cost of compliance far outweighs potential reputational damage and financial losses due to non-conformity. 

The General Regulations also provide for numerous forms and templates for use by data controllers and processors in the process of complying with the different provisions of the General Regulations as well as those for use by data subjects in realizing their privacy rights under the Act.

We are keen to see how different sector players will implement internal compliance as they fine-tune their processes to not only serve business strategies but also to ensure the Right to Privacy is upheld. We are also keen to see how the Data Commissioner’s Office will roll out its enforcement efforts, given the peculiarities presented by the Kenyan ecosystem and landscape in the various sectors. Finally, as with most regulators, we are keen to see how enforcement will be undertaken by this office in light of the wide range of persons and entities that are now under its oversight authority.

For further information please contact tmt@tripleoklaw.com