Start-ups processing personal data in Kenya are among the entities required to register with the Office of the Data Commissioner (ODPC) as the East African country implements a law protecting the right to privacy of individuals within its borders.
Registration, which began after the entry into force of data protection regulations, is mandatory for any company acting as a data controller — defined as a person or entity that determines the purpose and means of processing personal data — or processors. which is a company that may not necessarily collect or determine how the data is used, but handles it on behalf of another company.
The controller or processor is required to disclose the type of personal data it processes, its subjects and the reasons for collecting and storing such data.
Although the ODPC makes some exemptions based on revenue and number of employees, registration is mandatory for entities that offer financial services, those that process genetic data, telecommunications, property management, patient care, education, transport, hospitality, gaming, crime prevention and direct marketing. Big tech and startups (such as those in the fintech, proptech, agtech, edtech and healthtech space) are some of the entities affected by the new regulations.
“Registration is an important element of compliance with data protection laws as organizations cannot act as data controllers or processors in Kenya unless they have registered with the ODPC,” Kenya’s data commissioner Immaculate Kassait said in statement.
The new regulations, which provide guidance for data controllers and data controllers to follow, are designed to give users more power to determine what data is collected and how it is used.
The Act also seeks to promote the enactment of Kenya’s Data Protection Act, which ensures that companies use customer data lawfully, minimizes the details collected, restricts the sharing and further processing of data and ensures that people’s data are kept safe.
The regulations, which are similar to the EU GDPR, also require companies to seek users’ consent before collecting data and specify their intent for collection.
It also highlights that these entities must seek consent before using the data for commercial purposes. These entities are also required to process the personal data collected through a data server located in Kenya or maintain a service copy within the border. A company that transfers data outside the country can only do so in a number of accounts that also include the consent of the data subject.
In the event of a data breach, controllers and processors are required to notify the ODPC within 72 hours. The regulation further encourages entities to have a data protection officer to ensure compliance and recommends fines and prison terms for breach.