Data firms hesitant to register with regulator in Kenya - EY

Saturday September 17 2022

Data Commissioner Immaculate Kassait at the launch of the EY report in Nairobi on n September 15, 2022. PHOTO | DIANA NGILA | NMG


Most Kenyan organisations have not registered with the data commissioner since listing started in July.

The registration is in efforts to improve the privacy of individuals and accountability of entities that handle or process personal information.

A survey by audit firm Ernst and Young Global Ltd (EY) shows that only 19 percent of firms in Kenya have registered as data controllers or data processors with the newly established Office of the Data Protection Commissioner (ODPC).

The report shows that only 12 percent of Kenyan firms have submitted Data Protection Impact Assessment reports to the data commissioner since the rollout of the Data Protection Act in November 2019.

The Act requires all companies that handle or process individuals’ personal data and meet the set criteria – have an annual turnover of at least Ksh5 million ($41,293) or more than 10 employees or both – to register with the ODPC.

Also read: Kenyan firms on the spot for sharing customer data


The firms also need to carry out a data protection impact assessment and submit it to the ODPC 60 days before processing if “is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes”.

Juma Ochola, EY’s cybersecurity, privacy and trusted technology manager, said organisations face multiple challenges in their journey to fully comply with the requirements of the data protection act, hence the slow rate.

Lack of support

“A major pain point organisations pointed out in their journey to full compliance is the lack of support from senior and executive management, resulting in the lack of, or inadequate, allocation of resources to the function,” he said at the launch of the report in Nairobi on Thursday.

Other challenges identified by firms, according to the survey, are skills and experience gap, difficulties managing and implementing consent, scoping the requirements, and identification of a storage location for all sensitive data types.

Despite the challenges, the survey reveals some progress. For example, 50 percent of firms have developed data protection and privacy policies, 26 percent have a framework, and 19 percent already have a strategy.

Further, 56 percent of the organisations already have data protection officers (DPOs), an office established by the Data Protection Act and mandated to ensure compliance with the act among other functions related to it.

However, only 19 percent of the firms that have DPOs have them report directly to the board of directors. The majority report to the heads of audit, legal or data and analytics, highlighting the insignificance associated with the office.

According to the survey, many firms in Kenya say the data protection act is unclear and they need further guidelines from the ODPC including clear definition of personal data, and the role of third parties in the implementation of the act.

Speaking at the launch of the report, Data Commissioner Immaculate Kassait said her office is encouraged by the progress, and will act on the recommendations to improve compliance .

“It’s our prayer that compliance could progress faster than this. We want to see more and we’ll make sure we’re partnering with organisations as far as this is concerned,” Ms Kassait said.