Internet penetration in Kenya is at its highest, thanks to affordable broadband, both cabled and bundled. Companies are purchasing web hosting in Kenya and setting up virtual shops and online portals to manage customer experience. They ask for personal information like emails and phone numbers which they then use to do digital and email marketing.
With no law to moderate the intake and use of personal information by businesses and third parties, they began abusing it by selling it to anyone who needed it. It prompted the government to develop the Data Protection Act to compel businesses from misusing personal information. It came into effect on November 25th, 2019.
Besides private businesses, the government also began digitising some of its functions, including business registration, application of birth certificates, election management, child education management and the Huduma Namba. All these needed a legal framework to prevent government officers from misusing the data to their advantage.
Provisions in this Act
On a personal scope, this law applies to anyone handling or processing data in Kenya. It applies to locals and foreigners, as long as they do so in Kenya. They include but are not limited to telecommunication service providers, Content developers, and gateway service providers.
In particular, it applies during:
- Data Collection – modalities of collection data from Kenyans, stating the reasons and its use. The data collection platform should have the required information, especially its use.
- Data Security – How the data collected will be stored, away from internal and external infiltration. The data collector should institute security protocols to that effect.
- Data Retention – How to use the data subsequently, and the guidance of doing so. It should be in its raw form, without any additional algorithms.
- Data Disclosure – acknowledging data you have, especially to the regulator and abiding with the laws and regulations of the Act.
- Data Accuracy – capturing the data in its raw form and matching it with available information as per the records of the data commissioner.
- Data Deletion – modalities of disposing of odd data, whether by will or through an act by a court.
- Data Updating – the guidance one should follow in asking for upgraded information from Kenyans, stating its use and scope.
In all this, the person should consent that the organisation or data holder use their data. If not, the data holder is liable, subject to punitive measures by a court of law.
What This Means to Those Who Have Websites
If you have an online business that requires a customer to sign in and create an account, this law is for you. It guides you when using the data for subsequent marketing and your liabilities in case of breaching.
The most punitive one is when you sell the data to third parties. Anyone can take you to court for data privacy infringement, which can land you in jail, fined, or both.
Moreso, if a customer requests you to stop sending them promotional materials and you don’t, they can sue you for privacy infringement.