Road to Compliance - Kenya Data Protection Act, 2019 (DPA)

Data privacy is currently a high-profile topic, regulations are multiplying at national and international levels to define personal data and establish controls governing its maintenance and use, with growing enforcement of customer rights for appropriate data use.

Understanding that organizations gather more sensitive customer data to enable their services, in more applications, and in more locations than ever before, it is easy to conclude that data privacy is a challenge and must be among the top priorities.

In a context that is rapidly changing and with larger and larger volumes of data available - assuring that data is secured, and that all data protection regulations are respected is a priority, a critical challenge, and making data mismanagement a risk.

Kenya’s data protection framework, the Data Protection Act (DPA) of 2019 roll-out is still in an emerging phase, and it’s important to increase the awareness of its challenges and opportunities.

Organizational impacts

The data protection act impacts the operation of every organization in tree main perspectives.

First, from the legal and compliance point of view where new figures are introduced:

  • The data subject - who is a person who is the subject of personal data and personal data refers to any information relating to an identified or identifiable natural person.

  • The Data controller - defined as a person or body who determines the use and means of processing of personal data.

  • The Data Processor - defined as a person or body that processes personal data on behalf of the Data Controller.

Additionally, there’s a figure of data protection officer who acts as an interface with the data commissioner and simultaneously is responsible for the compliance with the data protection act on behalf of one or more data controllers or processors.

From the technological perspective there might be huge impacts the organizations technical ecosystem, depending on its complexity and size, on the number of systems, on how those systems are integrated.

Affecting almost every aspect of the data life cycle, from its collection to its storage, with a special focus on how its secured and protected from any kind of data breaches, forcing the implementation of data protection by design or default.

Data protection by design - Organizations should implement technical and organizational procedures when designing processing operations, that guarantee data privacy and protection principles from the beginning.

Data protection by default – Organizations must safeguard that personal data is processed with the highest privacy protection (processing only the necessary data, stored for the shortest period possible) so that by default personal data isn’t accessible to an indefinite number of persons.

And of course, the most critical perspective to be affected will be data itself. The compliance to the data protection act is truly a data management challenge, involving the capability to know and control all the personal data existing in the organization’s systems ecosystem, from the moment is collected, to the moment is destroyed, controlling how it’s accessed, how accesses it, how it flows across systems, which processes use etc.

A few concepts

One of the most important concepts that are introduced is the concept of consent, meaning that any kind of data classified as personal can only be processed upon consent by the data subject and in accordance with the principles of the protection of data, also giving the data subject the right to object to the processing of their personal data, with a few exceptions and to explicitly consent to its commercial use.

This turns every data controller or processor into the custodian of personal data obliged to create and implement all the necessary measures to protect that data against foreseeable internal and external risks.

Related with the concept of data protection by design that I’ve mentioned before, a Data Protection Impact Assessment, which is an assessment of the impact of the predicted processing operations on the protection of personal data, The DPIA allows for better decision-making at the implementation stage and avoids the need for expensive subsequent improvements or potential leaks of personal data. Based on the outcome of the analysis, the appropriate measures to remedy the risks should be adopted and implemented. For data controllers and processors, it’s an important instrument to establish compliance with the DPA requirements.

It is also introduced the obligation to report any data breach to the data commissioner seventy-two hours after it’s identification, and for data breach we include any situation that involves broadly three situations:

  • Confidentiality – Any unauthorized or accidental disclosure or access to personal data.

  • Availability – Any accidental or unauthorized loss of access, or destruction of personal data.

  • Integrity – Any unauthorized or accidental alteration of personal data.

Making it necessary to have in place the processes to prevent the breaches but also the processes and procedures to expedite the response to these incidents.

Road to Compliance

The risk of being non-compliant can mean negative publicity, damage to organizations’ reputations, and penalties. The requirements include that data be protected adequately, and when breaches do occur organizations must have notification capabilities in place that align with the regulation’s standards.

In most industries today, data is the ultimate battleground.

Already under increasing pressure to meet regulatory demands and manage their business challenges, constantly evolving regulatory requirements, rising costs, pressure on profit margins, economic pressures, the challenge of satisfying the ever-increasing demands from customers and increased competition, they now face different data challenges.

For organizations that hold information for millions of customers on their systems keeping their personal information secure is already a challenge.

Compliance with these regulations is a massive task and there is no one size fits all solution.

Only organizations that know the what’s, where’s, how’s, who’s, when’s and why’s of its data, and take effective control of it, can minimize the risk, and comply with the regulatory framework.

The most important step to compliance is to understand the data the organization holds. Across the organization, different departments, different systems will hold personal information.

Only after an organization has enough knowledge about its data, knowing it across the siloed ecosystem, being able to do full lineage of the data, and fully understand its life-cycle - can move to address data subject access rights, consent, breach response, data processing record keeping, and more.

Understanding what must be governed is the first step to governing it.

On the assumption that there is no one size fits all solution or approach, the best option seems to be the choice for a phased approach where every initiative is grounded on clearly defined business objectives and priorities.

An initial assessment phase will allow a comprehensive awareness of the context where all the initiatives towards compliance will be developed, but not only this, also important is a clear understanding of how the transformation necessary for DPA compliance can align and help pursue those business priorities and objectives, how to choose the less disruptive path.

Any change introduced into an organization it will necessarily create some disruption, it will generate resistance, and a successful approach must be able to overcome these challenges, addressing DPA compliance in a holistic perspective increases the risk, and although some aspects need to be address on a corporate level, such as the data protection policy, other should be prioritized according to business objectives and risks.

Identifying the most critical business areas and processes that depend on personal information, identifying the stakeholders that are more aware of the critical role of personal data in their business processes and turning each of these cases in uses cases is key to assure long term success.

These uses cases are to be transformed into targeted initiatives where the impact and value of data can be clearly identified and working with a business stakeholder that can passionately and effectively articulate the impacts of data in their business processes and that will be eager to defend them.

The assessment will start with a clear definition of the scope and objectives for data protection compliance, again the alignment with business objectives and strategy is an essential factor for success, and for this it essential to assure executive level engagement and the identification of the most critical stakeholders within the organization.

An initial version of the organization’s data protection should be initiated at this stage, creating a first draft of the structure and framework where it will work in the future.

A critical component of this stage is a comprehensive gathering of the organizations context in terms of personal data, defining a scope of systems, data flows and processes to be analysed, and although at this stage this might be done at high level to be detail in subsequent stages or initiatives it is important to be able to have already a clear view of the quantity of data elements to be considered as private data, where they are stored, which processes act upon them, what data flows use them, who accesses them and when.

None of this is new. Every organization has, even today, at some level its own data security processes and frameworks and procedures. The objective here is also to understand the gap between the current situation and the situation of compliance with the data protection act.

It is this gap that will determine the initiatives to be started, that, again, aligned with business objectives will determine a roadmap for compliance.

Once a roadmap is defined it’s time to address each of the initiatives, and each is addressed in a very common development life-cycle framework, excluding maybe the some of the more bureaucratic processes and documents, that should be handled in their own way.

So, what can come out of the roadmap?

Again, there is no one size fits all solution for data protection compliance. So, in most cases, we’ll be talking about Implementing changes to internal processes and procedures, to security incident response templates or data breaches report processes, notice and consent delivery processes, data retention duration, but it can also be process automation initiatives, changes to website forms, cookie collection notices, data security initiatives, server access restrictions, the implementation of changes to APIs.

Or even in some situations data governance programmes, business glossary implementation, a data lineage initiative, Master Data Management (providing a single view of customer, employee, or other entities, data classification or data monitoring initiatives.

All depending on the specific requirements, on dimension, on the the industry, on business objectives and strategy.

As a closing note it’s important to emphasise that specially in industries dependent on attracting and keeping customers, that handle and work with customer data, it essential to have clear objectives when approaching this challenge.

Data protection might be considered a compliance issue, but the risks are higher than compliance.

There’s a growing trend for customers to prefer companies that have an ethical approach to data. The view of the Data Protection Act being just a compliance issue, might hold organizations from following a market tendency that is gaining strength.

Organizations that can show they are ethical and responsible about their customers data, will be gaining a competitive edge against their competition and getting their customers support in the process. Compliance with the Data Protection Bill is just the beginning of this process.

The existence of a clear data strategy, with focus on trust, based on ethical and transparent data practices, making sure that customers know how, when and for how long their data will be used is an opportunity to make customers buy in to an organization, its culture, and principles instead of just products.

On the verge of a new set of compliance requirements, and although every industry may have a different business vision, you need to look at that vision and understand if the focus for this transformation, should only be the compliance to the Data Protection Act, or if a more broaden opportunity should be considered.

You need to look at this solution, not only to solve compliance, but also as a true business differentiator, enabling a customer-centric vision supporting the organization to deliver truly personalized and valued customer experiences.