The Act has a lot of similarities to the General Data Protection Regulations which are the Data Privacy and Protection Laws of the European Union. GDPR is regarded as the toughest security and privacy law in the world. One interesting aspect of this law is that it imposes obligations on organizations in any part of the world as long as they are collecting and processing data of people living in the European Union.
The Office of the Data Protection Commissioner was in place by 2021 after the swearing in of the first Data Commissioner – Ms Immaculate Kassait, and its mandate is to regulate the processing of personal data, protect the privacy of individuals and their data and establish the legal mechanisms to protect data among other things.
This is any data that is relating to an identifiable natural person e.g. name, address, age, telephone number, gender, date of birth, race, religious beliefs, genetic data, biometric data, health data etc.
One of the most challenging things about the Data Protection Act is the understanding of how to apply these principles to everyday situations, especially for small businesses.
There are also some principles that guide data protection. These are the principles businesses need to adhere to when they are collecting, processing and storing personal data.
This means when a business is collecting data, they should be able to state what it is being collected for e.g. if you choose to organize a webinar, and you want to collect the name and email address of those interested in attending. Then you go ahead and use this information you have collected to send them a newsletter or other offers. You have not been transparent on the reason you collected the data in the first place. Or you choose to start a WhatsApp group and state it is for one purpose but end up using it for additional purposes that were outside the scope of the initial set up – a common error if you are running more than one business and you decide to bombard your clients with everything you do.
Only collect data for the purpose you need the information. E.g. if you have customers making payments to you via mobile money, then the only reason you need their details is for the transactions. This means you cannot then proceed to bombard them with text messages about other products.
This focuses on ensuring that the data is secured and is only accessed by specific individuals who have been authorized to access the data. There are cases where employees get access to databases and decide to copy all the information and contacts to use for their own personal benefit. It is the responsibility of a business to identify who will have access to the data, who will process it and how this data should be secured to avoid any breach.
This means collecting the least amount of data needed. It serves two roles, the first being that minimal data is easy to maintain and update where needed and secondly, if there is a breach then only limited information is exposed. A good example would be if you collect a client’s details, you may want to collect name, email address and telephone contact. Do you need to collect their physical address, their spouse’s details and children’s dates of birth? Probably not.
It is the responsibility of a business to ensure that the data that is collected is as accurate as possible. Therefore any requests to correct the data must be done with speed and all reasonable attempts to keep the data as up-to-date as possible.
It is important to have a policy on how long you intend to store the data e.g. if you sell cakes and you have collected information from your client on their preferences, the address details for delivery of the cake and other personal data, for how long will you store this information? Would it be 6 months or 6 years? What is a reasonable timeframe for you to store the information? Each business can make an assessment of this and decide what works. Exceptions to this would be any legal requirements for you to retain information e.g. for security purposes, but cakes probably don’t fall into this category.
When consent is given, it should be unambiguous, which means it not only must be clear and concise, but the consent has to be granted and not assumed. A business can ask if you wish to receive communication from them via a newsletter and the data subject would tick a box giving consent. Be careful to ask consent for every item e.g. you can give them an option to tick newsletter, text message, email separately so that they can control what they wish to receive. Do not pre-tick the boxes for them.
This is but a snippet into the world of Data Protection and Privacy. For more guidance, please consult your legal or finance professional consultant.
Article writtten by: Mrs Thrity Engineer- Mbuthia E: thrity@thrityengineer.org T: +254 737 700699 Skype: thrity.engineer