Startups that process personal data in Kenya are among the entities required to register with the Office of the Data Commissioner (ODPC), as the East African country enacts a law protecting individuals’ right to privacy within its borders .
Registration, which has commenced after the data protection regulations come into effect, is mandatory for any company acting as a data controller – defined as an individual or entity that is responsible for the processing of personal data. Determines the purpose and means—or a processor, which is a company that may not necessarily collect or determine how the data is used, but handles it on behalf of another firm.
The data controller or processor is required to disclose the types of personal data they process, their target subjects, and the reasons for collecting and storing such data.
Despite ODPC giving certain exemptions based on revenue and workforce, registration is mandatory for entities offering genetic data in the telecommunications sector, asset management, patient care, education, transportation, hospitality, gambling, financial services, etc. process. crime prevention, and direct marketing.
“Registration is an important element of data protection law compliance as organizations cannot act as data controllers or processors in Kenya unless they are registered with the ODPC,” said data commissioner, Immaculate Cassatt, in a statement. Told.
The new rules, which provide guidance to be followed by data controllers and processors, are designed to give users more power in determining the type of data to be collected and how it is used.
The law also seeks to promote the enactment of Kenya’s Data Protection Act, which ensures that companies use customer data legally, minimizing the details collected, the sharing and further processing of data. and ensure that people’s data is kept secure.
The rules, which are similar to the EU’s GDPR, also require companies to obtain users’ consent before collecting data and to specify their intent for collection.
It also outlines that these entities must obtain consent before using the data for commercial purposes. These entities are also required to process personal data collected through data servers located in Kenya or to keep a serving copy within limits. A company transferring data outside the country can only do so on multiple accounts, including with the consent of the data subject.
Controllers and processors are also required to notify ODPC within 72 hours of the data breach. The regulation further encourages entities to have a data protection officer to ensure compliance, and recommends fines and prison sentences for violations.