Startups between entities face tougher laws as Kenya moves to protect personal data – TechCrunch


Startups processing personal data in Kenya are among the entities required to register with the Office of the Data Commissioner (ODPC) as the East African country enforces a law that protects the privacy rights of individuals within its borders.

Registration begins after the data protection regulations come into force and is mandatory for any company (defined as a person or entity that determines the purposes and means of processing personal data) or processor acting as a data controller, which may not necessarily collect or Determine how the data will be used and instead process it on behalf of another company.

Data controllers or processors are required to disclose the types of personal data they process, the target subjects and the reasons for collecting and storing such data.

While the ODPC makes some exemptions based on revenue and number of employees, there are exceptions for entities that provide financial services, entities that process genetic data, the telecommunications industry, property management, patient care, education, transportation, hospitality, gambling, crime prevention, and direct marketing. Large tech companies and startups (such as companies in the fintech, proptech, agtech, edtech and healthtech sectors) are some of the entities affected by the new regulations.

“Registration is an important factor in compliance with data protection legislation, as organisations cannot act as data controllers or processors in Kenya unless they are registered with the ODPC,” Kenya Data Commissioner Immaculate Kassait said in a statement.

The new regulations provide guidance for data controllers and processors, and are designed to give users greater power in determining what type of data is collected and how it is used.

The law also aims to facilitate the enactment of the Kenya Data Protection Act to ensure that companies use customer data lawfully, minimise the details collected, limit the sharing and further processing of data, and keep people’s data safe.

The regulation, which is similar to the EU’s GDPR, also requires companies to seek consent from users before collecting data and be clear about their intent for collection.

It also outlines that these entities must obtain consent before using the data for commercial purposes. These entities are also required to process the personal data collected through a data server located in Kenya, or keep a copy of the service onshore. Companies transferring data abroad can only do so on multiple accounts that include the consent of the data subject.

In the event of a data breach, controllers and processors must notify ODPC within 72 hours. The regulation further encourages entities to establish data protection officers to ensure compliance, and recommends fines and jail time for non-compliance.



Source link

Leave a Reply

Your email address will not be published.