The Data Protection Act, 2019 has been going through deliberations in Parliament for an extended period despite being signed into law more than two years ago.
It also served as unique law in East Africa, because it follows the steps of Europe’s GDRP, and was necessary because Kenya was and is still experiencing data protection abuses.
These data protection abuses were raised by a lot of people during the Huduma Namba registration exercise. The same concerns were also highlighted for the better part of 2020 and 2021 when it became clear that some data processors and handlers were using personal data to further their business without considering the implications.
To this end, it is clear why the law exists. It regulates the processing of personal data, and has since seen the establishment of the office of the Data Commissioner.
Since it was signed in 2019, the regulations under the bill were not actually published until this year (2022).
They are: the Data Protection (General) Regulations, 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
This means that Parliament has the task to assess the Regulations, and if no issues are raised for a revision, then the regulations will come into effect.
This will be done by February 2022.
As a highlight, the Data Protection (General) Regulations, 2021 provide for rights of a data subject, limitations to commercial use of such information, the roles of data controllers and processors, the communication of data breaches and transfer of data outside Kenya, to mention a few.
Secondly, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 allow for lodging, admission and response of complaints and enforcement provisions.
Lastly, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 give details about the process of registering data controllers and data processors. Their certificates have a validity of two years from the time of registration.
The Data Protection Act, 2019 goes a long way in ensuring that there are penalties for non-compliance (to the stated regulations), and that it is now mandatory for the consideration and inclusion of data protection from the start of the designing of systems.
We will update you about the development from Parliament regarding the assessment of the regulations.