Personal data startups in Kenya are among the entities required to register with the Office of the Data Commissioner (ODPC) as the East African country implements a law protecting the right to privacy of individuals within its borders.
The registration started after the entry into force of the personal data protection regulations is mandatory for any company acting as a personal data controller, defined as a natural or legal person that determines the purpose and means of processing personal data, or a processor. The processor does not necessarily collect or determine how the data is used, but processes it on behalf of another company.
The administrator or data processor is obliged to disclose the type of personal data it processes, its target subjects and the reasons for the collection and storage of such data.
Although the ODPC makes some exceptions based on revenue and number of employees, registration is mandatory for entities that offer financial services, those that process genetic data, in the telecommunications sector, property management, patient care, education, transportation, hospitality , gambling, crime prevention and direct marketing.
Big tech and startups (such as those in the fintech, proptech, agtech, edtech and healthtech space) are some of the entities affected by the new regulations.
“Registration is an important element of compliance with data protection legislation as organizations cannot act as a data controller or processor in Kenya unless they have registered with the ODPC,” Kenya’s data commissioner Immaculate Kassait said in a statement .
The new regulations, providing guidelines to be followed by data controllers and processors, are designed to give users more power in determining what data is collected and how it is used.
The law also seeks to promote the enactment of the Kenya Data Protection Act, which ensures that companies use customer data lawfully, minimizes the data collected, restricts the sharing and further processing of data and ensures that the data of people are kept safe.
The regulations, which are similar to the EU’s GDPR, also require companies to seek consent from users before collecting data and specify their intent for collection.
It also states that these entities must seek consent before using the data for commercial purposes. These entities are also required to process the collected personal data through a data server located in Kenya or to keep a service copy within the borders. A company that transfers data outside the country can only do so for a few accounts, which also involves the consent of the data subject.
In the event of a data security breach, administrators and processors are required to notify the ODPC within 72 hours. The regulation also encourages entities to have a data protection officer to ensure compliance, and recommends fines and imprisonment for breach.