Kenyan firms on the spot for sharing customer data

Friday July 23 2021
Data protection.

From left: Equity Group head of data governance Patrick Kariuki, Absa Kenya chief data officer Hartnell Ndungi, Data Protection commissioner Immaculate Kassait, KCB head, information risk Wycliffe Momanyi and EY associate director, cybersecurity, privacy and trusted technology, Anthony Muiyuro during the launch of the EY Data Protection and Privacy Report July 22, 2021. PHOTO | DIANA NGILA NMG | NMG


More than a fifth of Kenyan companies shared customers’ financial and personal information without the client’s consent in breach of data protection laws enacted two years ago.

A survey by consultancy Ernst & Young shows that 41 percent of firms transferred their clients’ data to third-party service providers.

More than half or 53 percent of these companies did not seek the approval of their customers before sharing the data.

This violates the law that restricts the handling and sharing of personal data firms and government entities obtain.

Individuals in breach risk a maximum fine of Ksh3 million ($27,726) or 10 years in jail, while firms risk a fine of up to Ksh5 million ($46,210) or one percent of annual turnover.

“The problem is some of the organisations have not started internalising the requirements provided by the Act. So up to now organisations have been sharing information freely and this is a violation of the Act,” said Robert Nyamu, digital, analytics and cybersecurity solutions partner at Ernst & Young.


EY surveyed several organisations, including top banks, asset managers, insurance companies, telcos, retailers and manufacturing firms. The survey discovered a large number of the companies passed on data to third parties.

The personal information was mainly passed for analysis, processing transactions, sending SMS alerts or to advertisers.

Some firms passed client data to partners in business, while others gave information to law enforcement officers for investigations.

Mr Nyamu said there were also instances of selling the data to vendors. However, he said, it was hard to quantify its value.

Sharing of client information to third parties has led to unregulated text messages, unsolicited emails or notifications of services and products like insurance policies.

Individuals also risk having their identities cloned, exposing customers to bank fraud.

Data has been described as the “new oil” and brokers play a huge role in extracting value from personal information in all its forms.

They collect it from hundreds of sources, including census information, surveys, public records and loyalty card programmes. They then sell the data to other organisations.

Data protection rules came into force to restrict the State and companies handling personal information and prevent its use for research purposes.

The government the appointed Immaculate Kassait as the first Data Protection Commissioner, an independent office to investigates data infringements.

The Act was passed in 2019 to support efforts to digitise identity records for citizens after the Huduma Namba registration exercise sparked a controversy.

The registration, which the government said would boost its provision of services, suffered a setback when the exercise was challenged in court.