MasiboLaw

The last decade has seen a sharp rise in the number of tech companies operating in Kenya dotting industries like payments, digital lending, e-commerce, education as well as health technology just to name a few. The growth of venture funding and accelerator programs has also led to these companies scaling and attracting hundreds of thousands of users. At the same time, regulation has also increased and legislations like the Data Protection Act have put certain requirements on these fast-growing companies.

One such requirement is that these companies ensure that their operations do not infringe on the right to privacy of their users and employees. This has been specified through a requirement that technology companies that engage in high-risk operations, which rely on massive data harvesting and processing should conduct regular and comprehensive Data Protection Impact Assessments (DPIA).

What is a Data Protection Impact Assessment?

A DPIA is a process designed to identify risks arising out of the processing of personal data and to minimize these risks as far and as early as possible. It usually culminates in the production of a report that guides the management of the company on the key actions they need to implement to comply with all the relevant data privacy laws. It also identifies the potential privacy risks of new or redesigned programs, systems, or products.

When is a Data Protection Impact Assessment compulsory?

1. When your product/program profiles individuals based on their data and involves a form of automated decision making.
2. When your product involves systematic and continuous monitoring of people for example if you have a camera surveillance solution/product.
3. When your product processes sensitive personal data such as someone’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status or family details.
4. When your product involves processing data belonging to vulnerable groups like children and minorities for example an edtech startup that collects the information of students in high school ought to conduct a DPIA beforehand.
5. When your processing involves the combination of different data sets for example in one aspect you process biometric information like a fingerprint and in another aspect, you collect health data like pregnancy status and you use them in combination to offer a predictive health solution that allows for some form of targeted advertising.
6. When your processing involves new and innovative technologies that can threaten the privacy of individuals, for example, if you are developing software that allows one to have a smart home.

Are there any deadlines?

The Data Protection Impact Assessment has to be conducted 60 days before the actual processing of data starts. It should be done simultaneously or after you have registered with the Office of the Data Protection Commissioner (ODPC).

What are the benefits to your Company for conducting a DPIA?

1. You will avoid penalties and sanctions that come with not complying with the Data Protection Act.
2. It reduces the risk of data breaches in the future as it preempts and proactively resolves any gaps in the organization’s legal and technical measures/policies.
3. It protects your reputation from both the stain of being penalised for noncompliance as well as the occurrence of data breaches.
4. It helps to build user/consumer trust. The fact that an organization has conducted a DPIA is an assurance that the customer’s data is in safe hands and that all the necessary action is being taken to avoid loss, theft, or misuse of personal data. Some companies even choose to build this trust by displaying the DPIA on their websites for the public to see.

Whereas tech companies in Kenya and beyond are focused on growth, they need to consider and obey the laws and regulations in place. This will help them avoid costly losses of customer trust or hefty fines from regulators and government authorities.

Do you need help with a Data Protection Impact Assessment? Feel free to contact us at info@masibolaw.co.ke