Data Protection or privacy is the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and destruction of personal information.
It’s a Constitutional human right and now Operationalized under the Data Protection Act of Kenya
Privacy is an individual’s right to freedom from intrusion and prying eyes or the right of the person to be left alone.
Data Protection =Data Security + Data Privacy
Key Actors in data Protection.
Some of the actors in Data Protection are:
1. Data Subject:
A Data Subject is a natural person who can be directly or indirectly identified through personal data (name, location, ID number, or other specific factors).
2. Data Controller?
The Data Controller is a legal entity, organization, company, person, or institution that collects and processes personal data for predefined purposes.
The Data Controller is the one who determines the purpose of the processing and the means of data processing.
Therefore, the Data Controller is obligated to implement appropriate technical and organizational measures to be able to demonstrate that processing is performed in accordance with the data protection law.
3. Data Processor
Data processor is a legal or natural person, organization, or institution which processes personal data on behalf of the controller.
Often, the data processor is a third-party company chosen by the data controller to process the data.
The Data Processor is responsible for creating and implementing processes that enable the data controller to gather data, store the data, and transfer it if necessary.
Remember: You can have Joint Controllers, Joint Processors and other mixed Relationships
Benefits of Data Protection Act–
- The Data Mapping exercises increases transparency and credibility of internal processes
- The Regular Data Protection Impact Assessments improves personal data security by highlighting potential areas of weakness thus giving a better understanding of the data been collected.
- Opens up opportunity to trade with companies in foreign jurisdiction that have similar laws (EU, GDPR, California Privacy Act, etc). This will create a privacy even playing field
- Formally recognizes the privacy benefits of encryption. In case of a data breach, where encryption safeguard was adopted, the Act exempts the data controller or processor from notifying affected data subjects
- A Compliant Enterprise /Bank is good for Business this is because there is enhanced data management. The enterprise should appoint a Data protection officer who is in charge data use and compliance issues
Office of the Data Commissioner is mandated to effect sanctions, penalties on violators. Hence, Lack of Compliance is Punitive because the Data Subjects have rights to petition the Data Commissioner over violations, data breaches and seek compensation.
Non-compliant Enterprises face costly compliance & reputational risks:
Some of the General Penalties is ( Upto Ksh 3M; 2yrs Imprisonment or both for individual offenders).
For Administrative Fines the penalties is (Ksh 5M; 1% Annual Turnover or Both for corporate offenders)