The Data Protection Act has become the talk of town as consumers are becoming more privacy sensitive and authorities are starting to enforce against privacy violations by big and small organizations. In a first of many to come, Oppo Kenya was fined 5 million shillings by the Data Protection Commissioner for violating privacy laws. With this in mind, what does your organization need to do to ensure that it is on the right side of the law with regard to privacy laws?
- Develop a Data Protection Policy – A Data Protection Policy is an internal statement outlining how your company uses and protects the personal data it possesses. It also outlines how your Company will ensure that how it handles data is in line with the Data Protection Act. It must also specify how you intend to align your company structure and processes when it comes to personal data with core data protection principles like storage limitation, purpose limitation, accuracy and transparency.
- Develop a Data Retention Policy – A Data Retention Policy is a set of written guidelines that keep track of how long an organization retains its consumer’s information and how it plans to dispose of the information when it is no longer needed.
- Develop an Information Security Policy – An Information Security Policy is a document outlining how the company intends to use policies, processes, and tools to protect sensitive business information from unauthorized access.
- You need to register as a Data Controller/Processor – Companies that work specifically around education, health, payments, internet service provision, gambling, e-commerce, direct marketing, and other specified areas are required to register as data controllers/processors with the Office of the Data Protection Commissioner. Those who fail to register will have to pay a fine.