Saturday, December 10, 2022
Home Deals Startups among entities to face tougher laws as Kenya moves to protect...

Startups among entities to face tougher laws as Kenya moves to protect personal data

Startups processing personal data in Kenya are among the entities required to register with the Office of the Data Commissioner (ODPC), as the East African country implements a law protecting the right to privacy of persons within its borders.

The registration, which has kicked off after the coming into effect of the data protection regulations, is mandatory for any company acting as a data controller, defined as a person or entity that determines the purpose and means of processing of personal data, or a processor. A processor may not necessarily collect or determine how data is used but handles it on behalf of another firm.

The data controller or processor is required to reveal the kind of personal data they process, their target subjects, and the reasons for collecting and storing it.

Despite the ODPC making some exemption based on revenue and number of employees, the registration is mandatory for entities that offer financial services, those that process genetic data, in the telecommunications sector, property management, patient care, education, transport, hospitality, gambling, crime prevention, and direct marketing.

Big techs and tech-enabled startups, (like those in fintech, proptech, agtech, edtech and healthtech space) are some of the entities affected by the new regulations.

“Registration is an important element of compliance with the data protection legislation as organizations cannot act as data controller or processor in Kenya unless they have registered with the ODPC,” said Kenya’s data commissioner, Immaculate Kassait, in a statement.

The new regulations, providing guidance to be adhered by data controllers and processors, are designed to give users more power in determining the kind of data that is collected and how it is used.

The law also seeks to promote the enactment of Kenya’s Data Protection Act, which ensures that companies use customer data lawfully, minimizes details collected, restricts sharing and further processing of data, and ensures the people’s data is kept safe.

The regulations, which are akin to EU’s GDPR, also require companies to seek users’ consent before collecting data, and to specify their intention for collection.

It also outlines that these entities have to seek consent before using the data for commercial purposes. These entities are also required to process the collected personal data through a data server located in Kenya or keep a serving copy within the borders. A company transferring data outside the country can only do so on a number of accounts that also includes the consent of the data subject.

Incase of a data breach, controllers and processors are required to notify the ODPC within 72 hours. The regulation further encourages entities to have in place a data protection officer to ensure compliance, and recommends fines and jail terms for contravention.

- Advertisment -

Most Popular

First-place Jets extend win streak to four with 3-1 win in Chicago

The Winnipeg Jets took care of business Friday night in the Windy City, dumping the Chicago Blackhawks 3-1 to claim their first four-game win...

London Knights edge first-place Ottawa 67s in a shootout

On a day when both quarter-final matches at the World Cup of soccer were decided in shootouts, the London Knights and the Ottawa 67s...

More than 20 coolers wash up in Alaska from MV Zim Kingston cargo spill

A recreational pilot has collected 23 coolers from beaches on the central Gulf of Alaska believed to be cargo spilled from the MV Zim...

Stellantis is blaming EVs for its upcoming Jeep layoffs

/ It’s halting work at a facility in Illinois, potentially affecting over a thousand workers.One of Stellantis’ EV concept vehicles. Image: StellantisStellantis,...