The anticipated Data Protection Act is likely to immediately impact organisations in both the public and private sector, as soon as it comes into effect.
We had previously reviewed the key principles behind the bill, but now need to appreciate what changes organisations need to effect to be compliant.
Organisations are expected to give citizens far-reaching rights that include the right to consent before their data is collected, the right to its security, data portability, access and accuracy and notification of security breaches.
The implications of a data breach or non-compliance include penalties of up to five million shillings or a five-year jail term, or both for the CEO. This alone should worry any organisation that is collecting, storing and sharing personal data of citizens.
But what does it take for organisations to be compliant with the data processing principles?
The first thing they should do is to realise that data privacy and protection is not a one-off exercise but a continuous risk management programme.
Organisations must embed data privacy and security within the data life cycle – from collection and storage to the decommissioning of personal data.
Commonly referred to as "privacy-by-design", organisations must begin by taking an inventory of all their data touchpoints with a view to evaluating the security procedures and processes of collecting, storing and sharing the data.
Of particular concern would be to establish if the data collected or processed meets the expectation of data minimisation, data portability, data access, data accuracy and notification as anticipated in the data protection law.
Data minimisation means that organisations should not collect more data than is necessary to perform the specific purpose for which the data is to be collected.
For example, if a school is registering students for academic purposes, there is no valid reason for demanding that students also provide information on their ethnic, sexual or political orientation.
The same data minimisation principle would apply in a medical, banking, house-renting or mobile communication context.
Data portability rights will allow citizens to be provided with their personal data upon request, and in a format that facilitates transmission to another service provider.
This is a powerful concept that is likely to change the relationship that service providers have with their customers.
The fact that the medical records kept by your private physician belong to you, or the legal records kept by your lawyer belong to you and should be availed or released to you on demand is something organisations will need to start getting used to.
This concept applies to your mobile money transactions, educational transcripts or even data on your supermarket loyalty card. This data is yours and you are entitled to it any time.
Service providers will be expected to re-engineer their workflows and systems in order to service data portability requests and deliver the same in a readable format and within reasonable time.
Data access and accuracy rights means that organisations must put the user data in a format that makes it easy for citizens to update their data in order to ensure it reflects reality.
Many of us have harrowing experiences trying to update information held about us by, for example, public institutions that manage education, immigration, water and power.
Woe unto you if your power or water bill was wrongly recorded, or your national identity or educational certificate details were misspelled. The process of rectifying the records is often tedious, opaque or with no clear deadlines.
The new data protection law is expected to bring some sanity in this area, and organisations must begin to reorganise their processes accordingly in order to provide transparency and facilitate faster correction mechanisms for wrongly captured data.
As the recent Facebook data breach shows, even highly resourced enterprises will still be faced with security challenges. However, the data protection regime will ensure that organisations are transparent about what they are doing to protect citizen data.
Specifically, organizations will now be expected to notify the data commissioner and affected users whenever a data breach occurs, something that was previously ignored as enterprises felt it was better to keep silent about breaches than face the corresponding reputational risk.
The data protection law is surely bound to come. Progressive organisations are not waiting for it before acting, they are instead actively preparing for it by adopting privacy-by-design practices.
Is your organisation one of them?
Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @Jwalu