Inter-institutional startups face tougher legislation as Kenya moves to protect personal data – TechCrunch
Personal data processing startups in Kenya are among the legal entities required to register with the Office of the Data Commissioner (ODPC), as the East African country implements its own privacy protection laws. those within its borders.
Registration, which begins after the data protection regulations come into effect, is mandatory for any company acting as a data controller – defined as an individual or entity determine the purposes and means of processing personal data – or the processor, as a company may not necessarily collect or determine how the data is used, but process it on behalf of another company.
Data controllers or processors are required to disclose the type of personal data they process, their target audience and the reasons for collecting and storing it.
Although the ODPC offers some exemptions based on revenue and number of employees, registration is required for financial services organizations, who process genetic data, in the telecommunications sector. communication, property management, patient care, education, transportation, hospitality, gambling, crime prevention and direct marketing.
“Registration is an important element of compliance with data protection laws as organizations cannot act as controllers or processors of data in Kenya unless they are registered with the ODPC,” said data commissioner. Kenyan data, Immaculate Kassait, said in a statement.
The new regulations, which provide guidance to be followed by controllers and data processors, are designed to give users more power in determining what data is collected and how it is collected. used.
The law also seeks to promote the enactment of the Kenya Data Protection Act, which ensures that companies use customer data lawfully, minimizes the details collected, limits sharing share and further process data, and ensure everyone’s data is kept safe.
The regulations are similar to the EU’s GDPR, which also requires companies to seek user consent before collecting data and to state their intent for collection.
It also indicates that these entities must seek consent before using the data for commercial purposes. These entities are also required to process personal data collected through a data server located in Kenya or to keep a copy served within the border. A company transferring data outside of the country can only do so on certain accounts with the consent of the data subject.
In the event of a data breach, the controller and processor are required to notify ODPC within 72 hours. The regulation also encourages organizations to have data protection officers to ensure compliance, and recommends fines and prison sentences for violations of the law.