Startups processing personal data in Kenya are among the entities that must register with the Office of the Data Commissioner (ODPC), as the East African country has a law that protects the right to privacy of individuals in its territory.
Registration that commences after the entry into force of data protection regulations is mandatory for any company acting as data controller, defined as the natural or legal person who determines the purpose and means of the processing of personal data, or processor. , that is, a company that may not necessarily collect or determine how the data is used, but process it on behalf of another company.
The controller or data processor must disclose the types of personal data they process, their intended subjects and the reasons for collecting and storing such data.
While the ODPC makes some exceptions based on income and number of employees, registration is mandatory for entities that offer financial services, those that process genetic data, the telecommunications sector, property management, patient care, education, transportation, hospitality, gambling, crime prevention and direct marketing.
“Registration is an important element of complying with data protection laws, as organizations cannot act as a controller or data processor in Kenya unless they are registered with the ODPC,” Data Commissioner Immaculate Kassaita said in a statement.
The new rules, which provide guidelines for data controllers and processors to follow, are intended to give users more control over the type of data they collect and how they use it.
The law also aims to promote the adoption of the Kenyan Data Protection Act, which ensures that companies use customer data legally, minimizes the amount of data collected, limits sharing and further processing of data, and keeps people’s data safe.
Rules similar to the EU GDPR also require companies to seek user consent before collecting data and indicate their intent for collection.
It also states that these organizations must obtain consent before using the data for commercial purposes. These organizations are also required to process the collected personal data through a data server located in Kenya or keep a working copy within the borders. A company transferring data outside the country may only do so for a number of accounts, which also includes the consent of the data subject.
Controllers and processors are also required to notify ODPC within 72 hours of a data breach. The regulation also recommends that organizations have a data protection officer to enforce compliance, and also recommends imposing fines and jail time for violations.
Credit: techcrunch.com /