August 17, 2022

Startups that process personal data in Kenya are among the entities required to register with the Office of the Data Commissioner (ODPC), as the East African country enforces a law protecting the right to privacy of people within its borders.

Registration, which began after the entry into force of the Data Protection Regulations, is mandatory for any company that acts as a data controller – defined as a person or entity that determines the purpose and means of processing personal data – or a processor, a company that may not necessarily collect or determine how the data is used, but Dealing with it on behalf of another company.

The data controller or processor is required to disclose the type of personal data they are processing, their target subjects, and the reasons for collecting and storing this data.

Although the ODPC makes some exemptions based on revenue and number of employees, registration is mandatory for entities that provide financial services, those that process genetic data, in the telecommunications, property management, patient care, education, transportation, hospitality, gambling, crime prevention and direct marketing sectors. . Technology companies and startups (such as those in fintech, proptech, agtech, edtech, and healthtech space) are among the entities affected by the new regulations.

“Registration is an important component of compliance with data protection legislation as organizations cannot act as data controller or processor in Kenya unless they are registered with the ODPC,” Kenya’s Data Commissioner, Immaculate Kassait, said in a statement.

The new regulations, which provide guidelines that must be adhered to by data controllers and processors, are designed to give users more power in deciding what type of data is collected and how it is used.

The law also seeks to promote the enactment of Kenya’s Data Protection Act, which ensures that companies use customer data lawfully, reduces details collected, further restricts data sharing and processing, and ensures that people’s data is kept safe.

The regulations, which are similar to the European Union’s General Data Protection Regulation, also require companies to seek users’ consent before collecting data, and to specify their intent to collect it.

It also clarifies that these entities must seek consent before using the data for commercial purposes. These entities are also required to process personal data collected through a data server located in Kenya or to maintain a service copy within the border. A company that transmits data outside the country can only do so on a number of accounts that also have the consent of the data subject.

In the event of a data breach, controllers and processors are required to notify the ODPC within 72 hours. The regulation also encourages entities to appoint a data protection officer to ensure compliance, and recommends fines and prison sentences for the violation.

Source link

Leave a Reply

Your email address will not be published.