DPO’s definite Workspace
Transcript of DPO’s definite Workspace
![Page 1: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/1.jpg)
![Page 2: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/2.jpg)
DPO’s definite Workspace
Dissecting the KenyaData Protection Act:
Key Definitions
Your accountability solution for easy Data Protection Law compliance
www.DPOWorkspace.com
![Page 3: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/3.jpg)
WITH
14 YEARSIN THE FIELD
WE ARE
LAW, COMPLIANCE
& PRIVACY GURUS
DPO
Work
space
.com
![Page 4: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/4.jpg)
Data Protection terms you need to know
1Personal
Data
2Data
Subject
3Processing
4Data
Controller
8
Individual
Rights
7
Lawfulness
6Personal Data
Breach
5Data
Processor
![Page 5: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/5.jpg)
DEFINITIONSA walk through of the common terms in the Kenya Data Protection Act (2019)
01
02
Personal data
This is any information that relates to an
identified or identifiable natural person. It
means any and all information that
identifies you as a data subject
Data subject
A living individual who can be
identified from personal data
(an identifiable individual)
![Page 6: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/6.jpg)
04Data Controller
The entity that determines the
purpose and means of
processing personal data
03Processing
Any operations performed on
personal data e.g. collection,
storage, transmission, alteration,
erasure, destruction etc
05Data Processor
The entity which processes
personal data on behalf of the
data controller
![Page 7: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/7.jpg)
06Personal data breach
Breach of security leading to the loss,
accidental or unlawful destruction,
alteration, damage or unauthorized
disclosure of personal data
07Lawful basis
This is the reason or legal
grounds you can rely on to
process personal data
08Individual rights
These are the rights data
subjects have, and can
exercise, over the personal data
in custody of a data controller
![Page 8: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/8.jpg)
10Office of Data
Protection Commissioner
The body set up to uphold personal
data rights in Kenya. It will oversee the
implementation and be responsible
for the enforcement of this Act
09Sensitive personal data
These are special categories of
personal data such as biometric
data, health status, race etc that must be treated with extra security
11Registration
The Data Commissioner shall
prescribe thresholds for
mandatory registration of
Controllers and Processors
![Page 9: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/9.jpg)
12Data Protection Officer
An individual who ensures that the
Data Controller or Processor processes
personal data in compliance with the
Data Protection Act (2019)
13Data Protection Act (2019)An ACT of Parliament that regulates the
processing of personal data, provides
rights of data subjects and obligations of
Controllers and Processors.
![Page 10: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/10.jpg)
DPO’s definite Workspace
Dissecting the KenyaData Protection Act:
Accountability & Governance
Your accountability solution for easy Data Protection Law compliance
www.DPOWorkspace.com
![Page 11: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/11.jpg)
03
02
01
DEMONSTRATING COMPLIANCEYou need to put in place appropriate technical and organisational measures to meet the
requirements of accountability
SECTION 42
Data Processor Contracts
SECTION 23, 61
Compliance & Auditing
SECTION 41
Data Protection by Design
and Default
![Page 12: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/12.jpg)
06
05
04SECTION 31
Data Protection Impact
Assessments
SECTION 74
Codes of practice, guidelines
and certifications
SECTION 24
Data Protection Officer
DEMONSTRATING COMPLIANCEYou have to integrate or ‘bake in’ data protection into your processing activities and
business practices, from the design stage right through the lifecycle
![Page 13: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/13.jpg)
09
08
07SECTION 18-22
Registration for Data
Controllers and Processors
Policies & Procedures
ISO 31000, 27550
Risk Management,
Privacy Program Management
DEMONSTRATING COMPLIANCEYou must be able to demonstrate your compliance
![Page 14: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/14.jpg)
DPO’s definite Workspace
Dissecting the KenyaData Protection Act:
Key Obligations
Your accountability solution for easy Data Protection Law compliance
www.DPOWorkspace.com
![Page 15: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/15.jpg)
EDUCATION DATA
PURCHASE/CONTACTS
OFFICIAL DOCUMENTS
FAMILY DATA
FINANCIAL DATA
AGE/DATE OF BIRTH
DPO’s definite Workspace
[email protected] CATEGORIES OF PERSONAL DATA
EMPLOYMENT MEDICAL/HEALTH
![Page 16: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/16.jpg)
INDIVIDUAL’S RIGHTS
Individuals have rights to be informed, access, object to
processing of all or part of their personal data, correction or
deletion of misleading data about them and data portability.
CONDITIONS FOR COLLECTIONA data controller or data processor shall collect
personal data directly from the data subject.
Personal data can only be collected indirectly
under certain conditions.
OBLIGATIONS OF DATA PROCESSINGEnsure right to privacy, lawfulness, kept up-to-
date and accurate, limit collection, do not re-
purpose, enforce retention limits and do not
export unless you have proof of safeguards.
CONDITIONS FOR CONSENTA data controller or data processor shall bear
the burden of proof for establishing a data subject's
consent to the processing of their personal data for a
specified purpose.
Section 26, 38
Section 28
Section 25
Section 32
Data Subject
Rights
Collection
Data Protection
Principles
Consent
![Page 17: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/17.jpg)
TRANSPERENCY AT COLLECTIONBefore collecting, in so far as practicable, you must inform
individuals of their rights in section 26, purpose of collection,
consequence of providing incomplete data, third-parties and
safeguards, and technical & security measures enforced.
CONDITIONS FOR PROCESSINGPersonal data can only be processed with consent
from parent/guardian and processing must protect
the rights and best interests of the child. Incorporate
mechanisms for age verification and consent.
CONDITIONS FOR LAWFUL PROCESSINGYou shall not process personal data UNLESS you
have consent from subject, contractual
obligation, legal obligation, vital interest,
carrying out a public task or legitimate interest
COMMERCIAL USE OF PERSONAL DATAStrictly prohibited unless certain conditions apply i.e., express
consent from data subjects, you have authorization under any
written law and the data subject has been informed of such
use. Where possible, de-identify before commercializing.
Section 29
Section 33
Section 30
Section 37
Duty to
Notify
Children
Lawful
Processing
Commercialization
![Page 18: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/18.jpg)
PROCESSORS & SUB-PROCESSORSYou must enter a written contract, which provides that the
processor shall act only instructions received from the
data controller and shall be bound by the obligations of
the data controller.
PERSONAL DATA INVENTORIESThis Data Commissioner may carry out periodical
audits of the processes and systems of the data
controllers or data processors to ensure
compliance with this Act
DATA LIFE CYCLEYou must put in place appropriate technical
and organisational measures to implement the
data protection principles effectively and
safeguard individual rights
HIGH RISK PROCESSINGA DPIA is an assessment of the impact of the
envisaged processing operations on the protection of
personal data. It’s mandatory for processing that poses
high risks to rights & freedoms of data subjects.
Section 42
Section 23
Section 41
Section 31
Contracts
Compliance
&
Audits
Data Protection
by Design and
Default
Data Protection
Impact
Assessments
![Page 19: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/19.jpg)
EXPERT IN DATA PROTECTIONDPOs assist you to monitor internal compliance, inform and
advise on your data protection obligations, provide advice
regarding DPIAs and act as a contact point for both the
data subjects and the Data Commissioner.
GUIDELINES AND CERTIFICATIONSThe Data Commissioner may issue guidelines or
codes of practice for the data controllers, data
processors and data protection officers
REGISTER BY DATA COMMISSIONERThe Data Commissioner shall prescribe
thresholds required for mandatory registration
of data controllers and data processors
DATA GOVERNANCEAs good practice, you must maintain records of
personal data processing activities (ROPA).
Additionally, you need to have data classification,
sharing, retention & destruction policies in place.
Section 24
Section 74
Section 18-22
Section 31
Data Protection
Officer
Codes of
Practice
Registration of
Controllers &
Processors
Documentations
Policies and
Procedures
![Page 20: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/20.jpg)
SANCTIONS UNDER THE ACT
General Penalty
Applies where specific penalty is
not prescribed. Fine up to KES 3M
or prison up to 10 years, or both.
Specific Penalty
Fine up to KES 5M or prison
up to 2 years, or both.
Issued by the courts for
specific offences.
Compensation
A person who suffers damage
(including financial and non-
financial loss) by reason of a
contravention of the Act is entitled
to compensation for that damage
from the data controller or
processor
Injunction
Court may order or prohibit the
doing of any act to stop a
continuing contravention
Administrative Penalty by DC
The lower of up to KES 5 million or
up to 1% of annual turnover for
preceding financial year. For non-
compliance with the Act
Forfeiture
Court may order forfeiture of any
equipment or article used or
connected in any way with the
commission of an offence.
DPO’s definite Workspace
![Page 21: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/21.jpg)
Be info
rmed
Acc
ess
Corr
ect
ion
Lim
it u
se
Port
ability
Com
pla
int
Dissecting the Data Protection Act:Rights of a Data Subject
(Sections 26, 38, 56)
DPO’s definite WorkspaceYour accountability solution for easy Data Protection Law compliance
www.DPOWorkspace.com
![Page 22: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/22.jpg)
Be info
rmed
Acc
ess
Corr
ect
ion
Lim
it u
se
Port
ability
Com
pla
int
An organization must inform you if it is using your data
YOUR INFO. RIGHT APPLIES TO:
Why it is using your data.
What type of data it is using.
How long your data will be kept.
If it is going to transfer to third-parties (to whom and & reason).
Your information rights.
How to contact the organization.
Where the data is from.
Your right to launch a complaint to the Data Commissioner.
![Page 23: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/23.jpg)
Be info
rmed
Acc
ess
Corr
ect
ion
Lim
it u
se
Port
ability
Com
pla
int
What personal information an organization hold about you.
How they are using it.
Who they are sharing it with.
Where they got your data from.
This entails making a SUBJECT ACCESS REQUEST, to find out:
You have a right to ask whether or not an organization is using
or storing your information.
![Page 24: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/24.jpg)
Be info
rmed
Acc
ess
Corr
ect
ion
Lim
it u
se
Port
ability
Com
pla
int
You have a right to request for correction or deletion of false or
misleading data about you.
State what you believe is inaccurate or incomplete.
Explain how the organization should correct it.
Where available, provide evidence of the inaccuracy.
TO EXERCISE THIS RIGHT, YOU SHOULD:
![Page 25: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/25.jpg)
Be info
rmed
Acc
ess
Corr
ect
ion
Lim
it u
se
Port
ability
Com
pla
int
You have a right to limit or object to the processing of
all or part of your data
TO EXERCISE THIS RIGHT, YOU SHOULD:
Make a request directly to the organization
State what you want restricted and why
![Page 26: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/26.jpg)
Be info
rmed
Corr
ect
ion
Acc
ess
Lim
it u
se
Port
ability
Com
pla
int
You have the right to get your personal data from an organisation in a
way that is accessible and machine-readable, for example as a csv file.
As stated in Section 38(3), you also have the right to ask an organisation
to transfer your data to another organisation. They must do this if the
transfer is, as the Law says, “technically possible”.
Make a request directly to the organization.
State what you want.
TO EXERCISE THIS RIGHT, YOU SHOULD:
![Page 27: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/27.jpg)
Be info
rmed
Corr
ect
ion
Acc
ess
Lim
it u
se
Auto
ma
ted
Pro
cess
ing
Com
pla
int
You have the right not to be subject to a decision that is based solely on
automated processing if the decision affects your legal rights or
significantly affects you.
Automated processing (without human involvement).
Profiling.
This right is applicable under two kinds of circumstances:
![Page 28: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/28.jpg)
Be info
rmed
Corr
ect
ion
Acc
ess
Lim
it u
se
Rais
e a
Com
pla
int
Com
pla
int
Organizations should handle your personal information responsibly and
in line with good practice.
Is not keeping your information secure.
Holds inaccurate information about you.
Has disclosed information about you.
Is keeping information about you for longer than is necessary.
Has repurposed your information.
You can lodge a complaint to the Data Commissioner orally or in writing, If
you have a concern about the way an organisation is handling your
information. This can be applied when an Organization:
![Page 29: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/29.jpg)
Be info
rmed
Acc
ess
Corr
ect
ion
Lim
it u
se
Port
ability
DPO’s definite Workspace
Dissecting the KenyaData Protection Act:
Data Subject Rights
Your accountability solution for easy Data Protection Law compliance
www.DPOWorkspace.com
![Page 30: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/30.jpg)
DPO’s definite Workspace
Dissecting the KenyaData Protection Act:
Common Everyday Mistakes
Your accountability solution for easy Data Protection Law compliance
www.DPOWorkspace.com
![Page 31: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/31.jpg)
TO FIX IT!
Act quickly. Try to recall the email as soon as possible. If you can’t
recall it, contact the person who received it and ask them to delete it.
In the future, consider turning off the autofill option when sending
work emails.
TO FIX IT!Ensure that you have a valid lawful basis prior to
sending any communication. You need to be careful not
to combine service and marketing messages if you do
not have a lawful basis for it.
TO FIX IT!Have a reason for keeping personal data, rather than a
reason for getting rid of it. If you’re required to keep
information for a certain length of time such as financial,
audit or legal records, document your reasons.
TO FIX IT!Institute crosschecking mechanisms for ACCURACY
when transferring personal data from manual “hard-
copies” to digital “soft-copies” formats.
Sending an email
to the wrong
person
Putting service
messages in the same
‘boat’ as marketing
Keeping personal data
you don’t need,
‘just in case’ scenarios
Inaccurate inventories
arising from
digitization
I
II
III
IV
![Page 32: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/32.jpg)
TO FIX IT!
Ensure all web-forms and other data/registration forms capture
ONLY the required personal data that fulfils purpose of processing.
Sensitize data collectors (at registration desks) on law requirements
and appropriate interrogative techniques that ensures compliance.
TO FIX IT!Ensure you always have a lawful basis for collection
and processing. Include an EASY and ACCESSIBLE opt-
out options to subscribers. Avoid dark patterns in
design practices.
TO FIX IT!Ensure individuals understand the purpose of WHY you
are collecting their data through appropriate privacy
disclosures. You need a standard process (SOP) to
manage the disclosures and consents.
TO FIX IT!Employees who do not understand the compliance
obligations could be our weakest link. Ensure everyone
in your team (including new staff) understand their
Data Protection Law obligations.
Information Milking,
Excessive
collection of
personal data
Intrusion,
Interference and
Spamming
Lack of transparency
and/or lawful basis of
processing
Lack of awareness
amongst staff
V
VI
VII
VIII
![Page 33: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/33.jpg)
TO FIX IT!
Have a clear desk policy and avoid “idle print outs” either on your
desk or on shared office printers. Always lock your screen when
leaving your workstation.
TO FIX IT!This is common with Analysts who generate ad hoc reports
while troubleshooting or fixing bugs, and Auditors during
analysis. Always ensure you sanitise your PCs after the
exercise by clearing any logs or reports that have
outlived their purpose.
TO FIX IT!Institute a culture of “privacy-as-a-fore-thought” within
your teams and embed privacy in all your processing such
that you CANNOT run any activity involving personal
data without embedding privacy. Champion This Course.
TO BE EFFECTIVE, YOU MUST!Know your business processes & PI inventories,
understand your handling practices, identify the risks,
keep risk registers and ensure proper risk management
measures are effectively applied.
Accidental
disclosure or
exposure
Retaining logs & reports
after analysis,
troubleshooting or
auditing
Compliance is a process
and not a destination
You are the
Champion in your
Team!
IX
X
XI
XII
![Page 34: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/34.jpg)
SANCTIONS UNDER THE ACT
General Penalty
Applies where specific penalty is
not prescribed. Fine up to KES 3M
or prison up to 10 years, or both.
Specific Penalty
Fine up to KES 5M or prison
up to 2 years, or both.
Issued by the courts for
specific offences.
Compensation
A person who suffers damage
(including financial and non-
financial loss) by reason of a
contravention of the Act is entitled
to compensation for that damage
from the data controller or
processor
Injunction
Court may order or prohibit the
doing of any act to stop a
continuing contravention
Administrative Penalty by
Data Commissioner
The lower of up to KES 5 million or
up to 1% of annual turnover for
preceding financial year. For non-
compliance with the Act
Forfeiture
Court may order forfeiture of any
equipment or article used or
connected in any way with the
commission of an offence.
![Page 35: DPO’s definite Workspace](https://reader034.fdocuments.in/reader034/viewer/2022042421/6261356cdcf23208310b6e66/html5/thumbnails/35.jpg)
DPO’s definite Workspace
www.DPOWorkspace.com
Your accountability solution for easy Data Protection Law compliance
Thank You.