The much-awaited regulations for the implementation of the Data Protection Act, 2019, which were gazetted in January, have been approved and are now in force.
The regulations are a set of three and comprise of:
The DPA itself has been in force since 2019 and parties are expected to be compliant with it.
These regulations cater for the procedural aspects of the DPA, and cover a wide spectrum from the transfer of personal data, to how data subjects’ rights should be provided for, what the thresholds and requirements are for the registration of data controllers and data processors, how complaints relating to infringements and contraventions of the DPA will be handled and how enforcement procedures will be undertaken.
With the regulations in place, businesses should have a greater understanding of what is required of them to ensure that they are compliant under the law. At the same time, they can expect heightened scrutiny by the Office of the Data Protection Commissioner (ODPC) which is expected to be checking on data protection compliance; necessitating businesses to rethink their operating models, particularly those that are reliant on the processing of personal data such as those in e-commerce, financial services, hospitality and the health sector.
Below, are the pertinent provisions of the regulations.
1. The General Regulations
Additionally, the General Regulations provide for restrictions on the use of personal data for commercial purposes, a data controller or processor is considered to use personal data for commercial purposes where commercial or economic interests are sought after, primarily through direct marketing.
Furthermore, the General Regulations outline the obligations of data controllers and processors in various instances such as:
transfer of personal data outside Kenya. as well as provide for exemptions under the DPA, which include data processing in relation to national security and public interest.
2. The Registration Regulations
The Registration Regulations operationalise the requirement for data processors and data controllers to register with the ODPC, and are set to come into force 6 months from the date of publication, which the ODPC says is in July 2022. Registration is meant to take place online on the ODPC’s website.
3. The Complaints Regulations
The Complaints Regulations primarily deals with the procedure for lodging a complaint with the ODPC. Generally, a data subject has the option of either lodging a complaint orally, through electronic channels of communication or by any other appropriate means, or in person.
Additionally, the Complaints Regulations provide for the issuance of enforcement and penalty notices, as contemplated under the DPA.
The regulations add to the previously issued Guidance Notes on Data Protection Impact Assessments, Consent and the ODPC’s Complaints Management Manual in providing much-needed clarity with respect to the obligations of data controllers and data processors.
Over the course of the next few days, we will be sharing a comprehensive analysis of the data protection regulations, the guidance notes, as well as the complaints management manual, and their impact on doing business in Kenya in a 6-part series.
--
Read the article at Anjarwalla & Khanna.