In 2022, the Office of the Data Protection Commissioner issued a directive to companies and organizations handling personal data to register as data controllers/processors. The directive targeted organizations in specific fields such as digital lending, financial payments, healthcare, property management, internet service provision, and transport services to register. Additionally, companies in e-commerce that use direct marketing to reach their audience must also register. Lastly, companies with more than 10 employees and/or an annual turnover beyond 5 million shillings must register irrespective of their sector.

Despite the directive, only a handful of companies and organizations have registered or sought to comply with the Act. This has resulted in a backlash from the Data Protection Commissioner who has decided to fine and penalize companies that are not complying with the Act. 

An example of this is Oppo Kenya which has been fined 5 million shillings for, among other things, failing to have a Data Protection Policy. This shows that Oppo is non-compliant and has not done a proper and accurate registration with the Commissioner. This is because one of the requirements before you are issued with a registration certificate is that you have or commit to developing a data protection policy.

What do you need to register?

To successfully register a company or organization as a data controller/processor one must document how it processes personal data. You must also outline the potential risks that come with how you process personal data, for example, if there is a risk that the data may be stolen and sold to third parties then it is important to state the technical and legal safeguards that your company will introduce to avoid this. 

The Commissioner still reserves the right to reject your Application if it does not meet the requirements. To avoid having your Application rejected or your company getting fined, it is important to have a Data Protection Impact Assessment carried out before you start the Application. The impact assessment will enable you to go through a process designed to identify risks arising out of how you process personal data and how to minimize these risks as far and as early as possible. This will help you make a successful application and also sort out any privacy issues even before they arise and avoid getting fined. 

The writer is a lawyer who specializes in offering legal services to technology companies, e-commerce platforms, start-ups, and software developers. You can reach him at info@masibolaw.co.ke