This week, the Office of the Data Commissioner set tongues wagging when it issued a staggering fine of over 9 million Kenyan Shillings against 3 different institutions. Mulla Pride Ltd, a digital credit provider operating KeCredit and Faircash, was fined 2.97 million shillings for using names and contact information obtained from third parties to send threatening messages and make phone calls.
.
On the other hand, Roma School, a school situated in Uthiru, received a fine of Ksh 4.5 million for posting pictures of minors without obtaining consent from their parents. This was particularly jaw-dropping as it is the first such fine against an educational institution from the Office of the Data Commissioner. It complements a decision made against Kabianga University early this year.
.
Casa Vera Lounge, a restaurant on Ngong Road in Nairobi, incurred a penalty of Ksh 1.85 million from the Data Commissioner for posting a reveller’s image on its social media pages without first obtaining consent. This is particularly intriguing as it has cast a negative spotlight on the regular behaviour of restaurants and bars in Kenya that use pictures of customers for marketing purposes.
.
However, the magnitude and severity of the fines have raised questions about the formula that the Data Commissioner uses to arrive at the said fines and whether they are subject to the principles of proportionality and necessity. It is likely to be one of the issues raised in case the fined institutions decide to Appeal/Seek a Review of the decisions in the High Court.
.
Nonetheless, what these 3 should teach us is the all-rounded nature and importance of complying with the Data Protection Act. Simply getting a registration certificate is not compliance, it is just an aspect of compliance. It is therefore critical for organizations and institutions to consider the following;
.
Conduct Staff Training
A team is only as strong as its weakest link. Oftentimes, privacy violations are done by people who are lower in the organization’s hierarchy simply because they are not aware of the legal requirements that relate to Data Protection. This means that it is important to train all your staff on data protection requirements and ensure the knowledge is spread across the organization.
.
Have the Relevant Documentation in place
Consent is the most crucial concept in Data Protection. Before you process personal data you must secure specific, voluntary and unambiguous consent from the owner of the data. For example, Casa Vera Lounge could have avoided the hefty fine if they had collected the consent of the revellers before publishing their pictures. They could have done this through a properly drafted consent form either physically or digitally signed.
.
Additionally, they could have benefited from having a data protection policy, a privacy policy and a data retention policy in place to guide them both inwardly as an organization and to be transparent outwardly on how they handle data. You might also need access request forms to enable users to access the personal information that you currently hold.
.
Audit your Data Practices & Habits
Sometimes companies have blindspots when it comes to data protection, these are habits that you might not see which could eventually land you in trouble. For example, Roma school was in a habit of using children’s images for marketing without getting their parent’s consent. This could have been a habit that could have been picked by an external appraisal by a data protection expert and saved them the 4.5 million shillings fine.
.
Have you ever audited how your company uses personal data?
.
(N/B This list is not exhaustive but merely educational, in case of specific advice, seek the services of a legal professional)
.
The writer is a lawyer who specializes in offering legal services to people in technology. You can reach him through info@masibolaw.co.ke
MasiboLaw 
Leave a Reply