Startups processing personal data in Kenya are among the entities required to register with the Office of the Data Protection Commissioner (ODPC), as the East African country implements a law protecting the right to privacy of persons within its borders.
The registration, which has kicked off after the coming into effect of the data protection regulations, is mandatory for any company acting as a data controller, defined as a person or entity that determines the purpose and means of processing of personal data, or a processor. A processor may not necessarily collect or determine how data is used but handles it on behalf of another firm.
The data controller or processor is required to reveal the kind of personal data they process, their target subjects and the reasons for collecting and storing it.
Despite the ODPC making some exemption based on revenue and number of employees, the registration is mandatory for entities that offer financial services, those that process genetic data, in the telecommunications sector, property management, patient care, education, transport, hospitality, gambling, crime prevention and direct marketing.
Big techs and tech-enabled startups (like those in fintech, proptech, agtech, edtech and health tech space) are some of the entities affected by the new regulations.
“Registration is an important element of compliance with the data protection legislation as organizations cannot act as data controller or processor in Kenya unless they have registered with the ODPC,” said Kenya's data commissioner, Immaculate Kassait, in a statement.
The new regulations, providing guidance to be adhered by data controllers and processors, are designed to give users more power in determining the kind of data that is collected and how it is used.
The law also seeks to promote the enactment of Kenya's Data Protection Act, which ensures that companies use customer data lawfully, minimizes details collected, restricts sharing and further processing of data and ensures the people’s data is kept safe.
The regulations, which are akin to EU's GDPR, also require companies to seek users' consent before collecting data, and to specify their intention for collection.
It also outlines that these entities have to seek consent before using the data for commercial purposes. These entities are also required to process the collected personal data through a data server located in Kenya or keep a serving copy within the borders. A company transferring data outside the country can only do so on a number of accounts that also include the consent of the data subject.
In case of a data breach, controllers and processors are required to notify the ODPC within 72 hours. The regulation further encourages entities to have in place a data protection officer to ensure compliance, and recommends fines and jail terms for contravention.