- The regulation, which is part of the data protection law signed by President Uhuru Kenyatta in November 2019, establishes restrictions on how personally identifiable data obtained by businesses and government entities can be processed, stored and shared. .
- Data processors or controllers will pay a certification fee of 250,000 shillings.
- Companies will also have to pay an annual registration and renewal fee of between Sh1,000 and Sh20,000 depending on the number of employees, turnover and the risk of exposure of personal information.
Educational institutions, churches, owners and security companies operating closed circuit television (CCTV) cameras have been included on the list of those who must offer special guarantees when processing personal data.
New regulations released by Data Commissioner Immaculate Kassait show political activists, gaming and betting companies, banks, credit reference bureaus, tech companies, and providers of transportation services, including apps taxi service, will also obtain compulsory certification as data controllers or contractors.
The regulation, which is part of the data protection law signed by President Uhuru Kenyatta in November 2019, establishes restrictions on how personally identifiable data obtained by businesses and government entities can be processed, stored and shared. .
Data processors or controllers will pay a certification fee of 250,000 shillings. Companies will also have to pay an annual registration and renewal fee of between Sh1,000 and Sh20,000 depending on the number of employees, turnover and the risk of exposure of personal information.
“Any controller or processor whose annual turnover is less than 5 million shillings or whose annual turnover is less than 5 million shillings; and which employs less than ten people, is exempt from compulsory registration under these regulations ”, states the Data Protection Regulation (registration of data controllers and processors), 2021.
Data protection law requires data controllers and processors in Kenya and abroad to ensure that all personal data is handled in a legal, fair and transparent manner. They are also required to inform customers about the use of personal data and to correct or remove any misrepresentation about them.
The law also guarantees special safeguards for sensitive data such as marital status, sexual orientation, health status, ethnicity, children’s names and biometric data.
In addition, the law restricts the transfer of personal data to parties outside Kenya. Controllers and processors are required to obtain the authorization of the Data Commissioner before transferring personal data outside the country and to provide evidence of sufficient safeguards against misuse of the information. .
The law directs the Data Commissioner to investigate any breach, with breaches of the law resulting in a fine of up to 5 million shillings or a jail term of up to 10 years, or both.
The new regulations are likely to shake up data management in schools, churches, business premises and homes where CCTV cameras have been installed.
The demand for CCTV cameras has increased as public and private institutions as well as home owners move to strengthen security.
The regulation, which mirrors that of the EU’s General Data Protection Regulation, now means CCTV operators risk reprimand for misuse of personal data.
EU law even covers dashboard cameras mounted in vehicles, fearing that some of the data captured could be misused. In the EU, the installation of dashboard cameras makes it a ‘data controller’, which has implications under data protection laws.
Dash cam users are required to publicly indicate that filming is in progress and also provide certain details regarding the use of the data.
Kenya has mainly lobbied for data protection laws to strengthen security oversight and boost investment in its information and communication technology sector.
The country has attracted foreign companies over the years with innovations such as Safaricom’s M-Pesa mobile money services, but the lack of safeguards in the handling of personal data has kept it from realizing its full potential.
The state has also recently intensified its efforts to access personal communications in order to combat security breaches.
Parliament amended the Official Secrets Act 1968, making it mandatory for anyone with a cell phone or communication device to provide information about the people and data the state is prosecuting for national security violations.
Those who violate a state order to share information face a fine of 1 million shillings in the changes that also include Kenyan-owned gadgets that have been used in foreign countries to send information through channels such as domestic SMS, email and WhatsApp.
In 2017, the Communications Authority of Kenya (CA), the industry regulator, sought to have Safaricom, Airtel and Telkom Kenya install a Data Management System (DMS), arguing that this would help detect fake mobile devices.
The three telecommunications companies opposed the plan, claiming it was spyware the purpose of which was to listen in on people’s calls, read messages and track their financial transactions.
In a letter dated January 31, 2017, HQ defended the directive, saying the purpose of OMS was to access information.