DATA PROTECTION IN ACTION: HOW THE DRAFT DATA PROTECTION (GENERAL)  REGULATIONS 2021 AIM TO PROTECT YOUR PERSONAL DATA 

1. INTRODUCTION 

The Draft Data Protection (General) Regulations, 2021 (“the Draft Regulations”) were recently  published for public consultation by the Communications Authority of Kenya. They elaborate  the rights and duties of the data subjects, data controllers and data processors, and also provide  the procedures for enforcement of the said rights and duties.

Data subjects are individuals whose personal information is collected while data controllers are  the individuals or entities that determine the use and mode of processing the personal  information collected from data subjects. Data processors, on the other hand, are individuals or  entities that process the personal information collected, on behalf of data controllers.

We highlight the salient provisions of the Draft Regulations below.

1. REVIEW OF THE DRAFT REGULATIONS 
2. Enabling the Rights of Data Subjects 

The Draft Regulations require that data subjects are informed by data controllers/processors  through notice of the following:

1. nature and scope of the personal data to be processed;
2. the reasons for the said processing;
3. confirmation on whether the data will be shared with third parties.

Data processors and controllers are also required to ensure that:

1. the data subject has capacity to understand and communicate their consent – consent  cannot be presumed on the basis that the data subject did not object and cannot be  implied where the intention of the data subject is ambiguous or doubtful;
2. the nature of processing is explained in an understandable language to the data subject; c. Data is voluntarily given by the data subject;
3. Data is specific to the data subject.

Further, data subjects have the right to request for data portability, access, restriction and  objection to their data processing as well as deletion/rectification of their personal data held by  data processors or controllers. If any request by a data subject is rejected, data processors are  required to notify them promptly and give sufficient reasons for the refusal.

Data processors are also required to act in the best interests of data subjects despite receiving  consent to use and process their personal data.

2. Restrictions on the Commercial Use of Personal Data 

The Draft Regulations classify the sending of electronic messages, catalogues and display of  adverts on online media sites of data subjects as a form of direct marketing. They, therefore,  require data subjects to be given prior notice of the intended use of their personal data for  commercial purposes. On receipt of the notice, data subjects can object to the use of their  personal data for marketing by third parties. Sensitive personal data and personal data  belonging to minors is excluded from direct marketing by the Draft Regulations.

Additionally, data processors are required to have an op-out system, and to make it simple,  easily understandable and place it in a conspicuous place that is easily visible for use by data  subjects. Direct messages should contain a single sentence notifying data subjects that they can  opt out of future messages by responding to the direct messages by using one word, and the  unsubscribe link in an email should be prominently located. With respect to phone calls, data  subjects should be informed that they can verbally opt-out of future calls.

3. Obligations of Data Processors and Controllers 

The Draft Regulations require data processors to have a personal data retention schedule that  sets out the purpose for retention of data, the retention period and a provision for periodic  audit(s) of personal data. Where a data subject requests for their personal data to be  anonymised or pseudomised, the data processor is under obligation to consider the request.

Where the sharing of personal data by data processors or controllers is on a regular basis, they  should enter into a written agreement with data subjects prior to the sharing. Further, where  data processors are involved in automated data processing (i.e., processing without human  involvement), data subjects should be informed of the same and of their right to object to any  profiling for marketing purposes. The system used for automated processing should be sound,  accurate and non-discriminative.

Additionally, the Draft Regulations provide that any server used for processing personal data  for actualising public goods or services, such as education or elections, must be located in  Kenya. Data processors that do not perform such activity may also be required by the Data  Commissioner to move their servers to Kenya where there is a breach that violates the Data  Protection Act (“Act)) or if they fail to co-operate with the Data Commissioner during an  investigation.

4. Notification of Data Breaches 

The Draft Regulations set out the types of breaches that amount to notifiable breaches,  including instances where a data subject’s identification details that are not publicly available  are unduly revealed, and disclosure of personal credentials such as passwords used to access  electronic or online systems or accounts. Such notification to the Data Commissioner should  include the scope and extent of the breach and steps taken to mitigate the same.

5. Cross-border Data Transfer

The Draft Regulations provide that transfer of data outside Kenya should only be done under  written agreements with data subjects that set out the obligations therein. Moreover, data  processors should ensure that the legal regimes for data protection binding the transferee are at  least the same as under the Act and its attendant Regulations. For this purpose, countries that  have ratified the African Union Convention on Cyber Security and Personal Data Protection, or  have a reciprocal data protection agreement with Kenya or an adequate data protection law are  presumed to have sufficient safeguards.

6. Data Protection Impact Assessment 

Under the Draft Regulations, when data processors engage in activities that constitute high risk  in relation to personal data, they are required to undertake a detailed Data Protection Impact  Assessment as set out in the guidelines. These high-risk activities include automated decision  making with legal or similar significant effects, processing of biometric or genetic data, and  processing of sensitive personal data or data relating to children or vulnerable groups.

1. CONCLUSION 

From the foregoing, it is apparent that efforts have been made to substantively implement the  provisions of the Data Protection Act. Public participation is ongoing and it is expected that this  will result in changes being introduced in the Draft Regulations.

admin