Data privacy in increasingly becoming a minefield for Kenya’s corporates and institutions. A new legislation is set to make it even tougher for those handling huge amounts of private data as they face huge fines if they are found to be on the wrong side of the law.

President Uhuru Kenyatta in November 2019 signed the Data Protection Act that took effect last year. This sent firms and institutions that collect large volumes of customer data to the drawing board in a bid to design watertight systems to avoid compromising personal data in their custody.

The new law defines how data in the hands of firms and government entities can be handled, stored, and shared. Firms flouting the law face a penalty of up to Sh5 million or one per cent of its preceding year annual turnover—whichever is lower.

The Data Protection Act requires data controllers and processors both in Kenya and abroad to protect the data they collect and inform clients on the use of personal data and correct or delete any false representations about them.

The law also guarantees special safeguards for sensitive data such as marital status, sexual orientation, health status and ethnicity. The Act also restricts transfer of personal data to parties outside Kenya. Data handlers must get the nod from the Data Commissioner before transferring the data across borders besides providing a firm assurance that the information will not be misused.

Because of the punitive fines involved, most companies are now coming up with innovative solutions to ensure they stick to the straight and narrow legal imperatives when handling personal data.

However, chances are that some of them at one time or another will run afoul of the data protection law notwithstanding the measures in place. This is where insurers come in. While insurance companies have longed designed policies on cyber-crime, there have been few takers, mainly due to ignorance on the implications of breached data. However, the new law is compelling firms to pause and rethink.

“If you are a data handler or a processor and someone else gets access to the data and the customer sues you, the only protection you can take is a professional indemnity cover,” stated Tom Gichui, chief executive of the Association of Kenya Insurers (AKI).

Kenbright Holdings MD Ezekiel Macharia says more firms will go for cyber security cover to avoid liabilities arising from the new legal dispensation.

“Cyber insurance has been there for a while mostly as a protection against hacking and protecting data but now increasingly it will cover the legal implications should the company be penalised,” Mr Macharia told journalists, noting that hospitals could face hefty fines if personal data of their patients is breached by cyber criminals.  

Insurance firms have since last year witnessed an uptick in the demand for cyber security products. This has been attributed to companies seeking to protect their systems as employees worked remotely to curb the spread of Covid-19.

“In terms of trends it has grown so much during the Covid-19 pandemic as people worked from home and vulnerabilities increased with no close network,” Mr Macharia said.

Mr Gichuhi noted that insurers are coming up with solutions on data-driven insurance to help clients conform to the Data Protection Act.

“This is something people need to start thinking about, I know it is still early, the guidelines are still being developed and evaluation of the risk is still a work in progress. This is a new development and will open new areas for potential cover but for now, I do not think we have developed any products for this kind of exposure,” the AKI boss said.

The Data Act has also sparked a boom in data protection and analytics officer jobs in Kenya as corporates scramble to hire software and privacy experts in a race to comply with the law.
Insurers and technology companies are hunting software and privacy expert.
Section 24 of the Act allows data controllers and data processors to appoint a data protection officer who may be a staff member whose role includes advising on compliance with the Act.
All entities whose core activities entail substantial monitoring or processing of personal data have been forced to hire experts to avoid privacy breaches that could lead to hefty fines.
According to Safaricom sustainability report, the country’s largest telco, it conducted 36 investigations into alleged fraud, dismissed 28 and warned 19 employees. One case was taken to state authorities for further action. The majority of the cases (22) flagged by Safaricom are related to data privacy with eight involving breach of policy and four sim swap cases while two cases involved asset misappropriation.


author