Time to conduct data protection impact assessments

Tuesday July 21 2020

Proximity access technology is efficient, but you will be surprised at how much personal information is collected and may be accessible to third parties who own the system. PHOTO | FILE | NATION MEDIA GROUP


Last week, the labour court stopped the recruitment process of the Data Protection Commissioner, following a petition filed by one of the applicants who claimed the process was rife with irregularities and illegalities.

Before the injunction, the government seemed to be on track to appointing the first Data Commissioner in Kenya who would oversee the regulatory aspects of personal data within the data economy.

The key mandate of the Data Commissioner would be to provide assurance that whatever personal data that various organisations collect in the course of their activities is secured and protected from abuse.

The Data Protection Act articulates one key mechanism that the Data Commissioner would use to assess the extent to which organisations are complying with the provisions of the Act.

This mechanism is known as the Data Protection Impact Assessment (DPIA). The court injunction against the recruitment exercise provides a perfect break for organisations to get their act together and perform their DPIA.

The DPIA is a requirement for both the private and public sector entities that processes a significant volume of personnel data on a daily basis, particularly of sensitive nature.


Unlike traditional IT security that restricts itself to the confidentiality, integrity and availability of corporate or business data, the DPIA extends this and begins to look into how the organisation are protecting and provisioning data rights to their customers.

The various data subject rights include customers’ right to consent and accurate information about them, right to access that information, right to be informed in case of breaches and right to withdraw consent.

Contrary to popular opinion, performing a DPIA is not a matter of downloading a checklist off the internet and then ticking the boxes appropriately. Whereas that could provide a useful starting point, it is definitely not the objective of a DPIA. 

The objective of a DPIA is to provide the organisation an opportunity to do internal data mapping in order to identify data processes that collect and manipulate personal data and the arising risks. 

The output of the data mapping exercise is known as a record of processing activities (RPOA). The organisation would then use the RPOA to establish the extent to which the data processes identified are compliant with the data subject rights as prescribed in the Data Protection Act.

A report of which processes are compliant and which ones are not would then emerge, outlining the gaps or what needs to be done in order to be compliant - in cases where there is non-compliance.

Given that the data subject rights are about ten, each process identified must be reviewed in light of these rights.  It is clear that a ten-minute exercise of ticking a checklist cannot do justice to DPIA.

Furthermore, the DPIA exercise is not a one-off event but needs to be incorporated within the organisational culture in order to achieve continuous compliance levels.

This speaks to capacity building for all members of staff to appreciate the negative impact of non-compliance as well as organisational changes to provide for and sustain regular data protection activities.

It is time for such organisations to take advantage of the suspended recruitment process and review their data mapping and compliance exercise well before the recruitment process is restarted again and completed and they are caught off-guard.

Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT.
Email: [email protected], Twitter: @Jwalu