Entity startups face tougher laws as Kenya moves to protect personal data
Startups processing personal data in Kenya are among the entities required to register with the Office of the Data Commissioner (ODPC) as the East African country implements implements a law protecting the privacy rights of individuals within its borders.
Registration, which began after the entry into force of data protection regulations, is mandatory for any company acting as a data controller, defined as a person or entity who determines the purpose and the means of processing personal data, or a processor. A subcontractor does not necessarily collect or determine how the data is used, but manages it on behalf of another company.
The controller or processor is required to disclose the type of personal data it processes, the target subjects and the reasons for collecting and storing this data.
Although the ODPC grants some exemption based on revenue and number of employees, registration is mandatory for entities that offer financial services, those that process genetic data, in the telecommunications sector, property management, patient care, education, transportation, hospitality, gambling, crime prevention and direct marketing.
Big tech and startups (such as those in fintech, proptech, agtech, edtech, and healthcare) are among the entities affected by the new regulations.
“Registration is an important part of complying with data protection legislation, as organizations can only act as a data controller or data processor in Kenya if they have registered with the ODPC," Kenya's Data Commissioner Immaculate Kassé said in a statement.
The new regulations, providing guidance for controllers and processors to follow, are designed to give users more power to determine what type of data is collected and how it is used.
>The act also seeks to promote the enactment of the Kenyan Data Protection Act, which ensures businesses use customer data lawfully, minimize details collected, limit data sharing and further processing, and guarantees the security of people's data.
The regulations, which are akin to the EU GDPR, also require companies to seek user consent before collecting data and to specify their intention for collection.
It also clarifies that these entities must obtain consent before using the data for commercial purposes. These entities are also required to process personal data collected through a data server located in Kenya or maintain a serving copy within the borders. A company transferring data out of the country can only do so on a certain number of accounts which also includes the consent of the data subject.
In the event of a data breach, controllers and processors are required to notify the ODPC within 72 hours. The regulation further encourages entities to have a data protection officer in place to ensure compliance, and recommends fines and jail time for violations.
Startups processing personal data in Kenya are among the entities required to register with the Office of the Data Commissioner (ODPC) as the East African country implements implements a law protecting the privacy rights of individuals within its borders.
Registration, which began after the entry into force of data protection regulations, is mandatory for any company acting as a data controller, defined as a person or entity who determines the purpose and the means of processing personal data, or a processor. A subcontractor does not necessarily collect or determine how the data is used, but manages it on behalf of another company.
The controller or processor is required to disclose the type of personal data it processes, the target subjects and the reasons for collecting and storing this data.
Although the ODPC grants some exemption based on revenue and number of employees, registration is mandatory for entities that offer financial services, those that process genetic data, in the telecommunications sector, property management, patient care, education, transportation, hospitality, gambling, crime prevention and direct marketing.
Big tech and startups (such as those in fintech, proptech, agtech, edtech, and healthcare) are among the entities affected by the new regulations.
“Registration is an important part of complying with data protection legislation, as organizations can only act as a data controller or data processor in Kenya if they have registered with the ODPC," Kenya's Data Commissioner Immaculate Kassé said in a statement.
The new regulations, providing guidance for controllers and processors to follow, are designed to give users more power to determine what type of data is collected and how it is used.
>The act also seeks to promote the enactment of the Kenyan Data Protection Act, which ensures businesses use customer data lawfully, minimize details collected, limit data sharing and further processing, and guarantees the security of people's data.
The regulations, which are akin to the EU GDPR, also require companies to seek user consent before collecting data and to specify their intention for collection.
It also clarifies that these entities must obtain consent before using the data for commercial purposes. These entities are also required to process personal data collected through a data server located in Kenya or maintain a serving copy within the borders. A company transferring data out of the country can only do so on a certain number of accounts which also includes the consent of the data subject.
In the event of a data breach, controllers and processors are required to notify the ODPC within 72 hours. The regulation further encourages entities to have a data protection officer in place to ensure compliance, and recommends fines and jail time for violations.
What's Your Reaction?
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
