DPO’s definite Workspace

DPO’s definite Workspace

Dissecting the KenyaData Protection Act:

Key Definitions

Your accountability solution for easy Data Protection Law compliance

www.DPOWorkspace.com

[email protected]

WITH

14 YEARSIN THE FIELD

WE ARE

LAW, COMPLIANCE

& PRIVACY GURUS

DPO

Work

space

.com

Data Protection terms you need to know

1Personal

Data

2Data

Subject

3Processing

4Data

Controller

8

Individual

Rights

7

Lawfulness

6Personal Data

Breach

5Data

Processor

DEFINITIONSA walk through of the common terms in the Kenya Data Protection Act (2019)

01

02

Personal data

This is any information that relates to an

identified or identifiable natural person. It

means any and all information that

identifies you as a data subject

Data subject

A living individual who can be

identified from personal data

(an identifiable individual)

04Data Controller

The entity that determines the

purpose and means of

processing personal data

03Processing

Any operations performed on

personal data e.g. collection,

storage, transmission, alteration,

erasure, destruction etc

05Data Processor

The entity which processes

personal data on behalf of the

data controller

06Personal data breach

Breach of security leading to the loss,

accidental or unlawful destruction,

alteration, damage or unauthorized

disclosure of personal data

07Lawful basis

This is the reason or legal

grounds you can rely on to

process personal data

08Individual rights

These are the rights data

subjects have, and can

exercise, over the personal data

in custody of a data controller

10Office of Data

Protection Commissioner

The body set up to uphold personal

data rights in Kenya. It will oversee the

implementation and be responsible

for the enforcement of this Act

09Sensitive personal data

These are special categories of

personal data such as biometric

data, health status, race etc that must be treated with extra security

11Registration

The Data Commissioner shall

prescribe thresholds for

mandatory registration of

Controllers and Processors

12Data Protection Officer

An individual who ensures that the

Data Controller or Processor processes

personal data in compliance with the

Data Protection Act (2019)

13Data Protection Act (2019)An ACT of Parliament that regulates the

processing of personal data, provides

rights of data subjects and obligations of

Controllers and Processors.



Accountability & Governance



[email protected]

03

02

01

DEMONSTRATING COMPLIANCEYou need to put in place appropriate technical and organisational measures to meet the

requirements of accountability

SECTION 42

Data Processor Contracts

SECTION 23, 61

Compliance & Auditing

SECTION 41

Data Protection by Design

and Default

06

05

04SECTION 31

Data Protection Impact

Assessments

SECTION 74

Codes of practice, guidelines

and certifications

SECTION 24

Data Protection Officer

DEMONSTRATING COMPLIANCEYou have to integrate or ‘bake in’ data protection into your processing activities and

business practices, from the design stage right through the lifecycle

09

08

07SECTION 18-22

Registration for Data

Controllers and Processors

Policies & Procedures

ISO 31000, 27550

Risk Management,

Privacy Program Management

DEMONSTRATING COMPLIANCEYou must be able to demonstrate your compliance



Key Obligations



[email protected]

EDUCATION DATA

PURCHASE/CONTACTS

OFFICIAL DOCUMENTS

FAMILY DATA

FINANCIAL DATA

AGE/DATE OF BIRTH


[email protected] CATEGORIES OF PERSONAL DATA

EMPLOYMENT MEDICAL/HEALTH

INDIVIDUAL’S RIGHTS

Individuals have rights to be informed, access, object to

processing of all or part of their personal data, correction or

deletion of misleading data about them and data portability.

CONDITIONS FOR COLLECTIONA data controller or data processor shall collect

personal data directly from the data subject.

Personal data can only be collected indirectly

under certain conditions.

OBLIGATIONS OF DATA PROCESSINGEnsure right to privacy, lawfulness, kept up-to-

date and accurate, limit collection, do not re-

purpose, enforce retention limits and do not

export unless you have proof of safeguards.

CONDITIONS FOR CONSENTA data controller or data processor shall bear

the burden of proof for establishing a data subject's

consent to the processing of their personal data for a

specified purpose.

Section 26, 38

Section 28

Section 25

Section 32

Data Subject

Rights

Collection

Data Protection

Principles

Consent

TRANSPERENCY AT COLLECTIONBefore collecting, in so far as practicable, you must inform

individuals of their rights in section 26, purpose of collection,

consequence of providing incomplete data, third-parties and

safeguards, and technical & security measures enforced.

CONDITIONS FOR PROCESSINGPersonal data can only be processed with consent

from parent/guardian and processing must protect

the rights and best interests of the child. Incorporate

mechanisms for age verification and consent.

CONDITIONS FOR LAWFUL PROCESSINGYou shall not process personal data UNLESS you

have consent from subject, contractual

obligation, legal obligation, vital interest,

carrying out a public task or legitimate interest

COMMERCIAL USE OF PERSONAL DATAStrictly prohibited unless certain conditions apply i.e., express

consent from data subjects, you have authorization under any

written law and the data subject has been informed of such

use. Where possible, de-identify before commercializing.

Section 29

Section 33

Section 30

Section 37

Duty to

Notify

Children

Lawful

Processing

Commercialization

PROCESSORS & SUB-PROCESSORSYou must enter a written contract, which provides that the

processor shall act only instructions received from the

data controller and shall be bound by the obligations of

the data controller.

PERSONAL DATA INVENTORIESThis Data Commissioner may carry out periodical

audits of the processes and systems of the data

controllers or data processors to ensure

compliance with this Act

DATA LIFE CYCLEYou must put in place appropriate technical

and organisational measures to implement the

data protection principles effectively and

safeguard individual rights

HIGH RISK PROCESSINGA DPIA is an assessment of the impact of the

envisaged processing operations on the protection of

personal data. It’s mandatory for processing that poses

high risks to rights & freedoms of data subjects.

Section 42

Section 23

Section 41

Section 31

Contracts

Compliance

&

Audits

Data Protection

by Design and

Default

Data Protection

Impact

Assessments

EXPERT IN DATA PROTECTIONDPOs assist you to monitor internal compliance, inform and

advise on your data protection obligations, provide advice

regarding DPIAs and act as a contact point for both the

data subjects and the Data Commissioner.

GUIDELINES AND CERTIFICATIONSThe Data Commissioner may issue guidelines or

codes of practice for the data controllers, data

processors and data protection officers

REGISTER BY DATA COMMISSIONERThe Data Commissioner shall prescribe

thresholds required for mandatory registration

of data controllers and data processors

DATA GOVERNANCEAs good practice, you must maintain records of

personal data processing activities (ROPA).

Additionally, you need to have data classification,

sharing, retention & destruction policies in place.

Section 24

Section 74

Section 18-22

Section 31

Data Protection

Officer

Codes of

Practice

Registration of

Controllers &

Processors

Documentations

Policies and

Procedures

SANCTIONS UNDER THE ACT

General Penalty

Applies where specific penalty is

not prescribed. Fine up to KES 3M

or prison up to 10 years, or both.

Specific Penalty

Fine up to KES 5M or prison

up to 2 years, or both.

Issued by the courts for

specific offences.

Compensation

A person who suffers damage

(including financial and non-

financial loss) by reason of a

contravention of the Act is entitled

to compensation for that damage

from the data controller or

processor

Injunction

Court may order or prohibit the

doing of any act to stop a

continuing contravention

Administrative Penalty by DC

The lower of up to KES 5 million or

up to 1% of annual turnover for

preceding financial year. For non-

compliance with the Act

Forfeiture

Court may order forfeiture of any

equipment or article used or

connected in any way with the

commission of an offence.


[email protected]

Be info

rmed

Acc

ess

Corr

ect

ion

Lim

it u

se

Port

ability

Com

pla

int

Dissecting the Data Protection Act:Rights of a Data Subject

(Sections 26, 38, 56)

DPO’s definite WorkspaceYour accountability solution for easy Data Protection Law compliance


[email protected]

Be info

rmed

Acc

ess

Corr

ect

ion

Lim

it u

se

Port

ability

Com

pla

int

An organization must inform you if it is using your data

YOUR INFO. RIGHT APPLIES TO:

Why it is using your data.

What type of data it is using.

How long your data will be kept.

If it is going to transfer to third-parties (to whom and & reason).

Your information rights.

How to contact the organization.

Where the data is from.

Your right to launch a complaint to the Data Commissioner.

Be info

rmed

Acc

ess

Corr

ect

ion

Lim

it u

se

Port

ability

Com

pla

int

What personal information an organization hold about you.

How they are using it.

Who they are sharing it with.

Where they got your data from.

This entails making a SUBJECT ACCESS REQUEST, to find out:

You have a right to ask whether or not an organization is using

or storing your information.

Be info

rmed

Acc

ess

Corr

ect

ion

Lim

it u

se

Port

ability

Com

pla

int

You have a right to request for correction or deletion of false or

misleading data about you.

State what you believe is inaccurate or incomplete.

Explain how the organization should correct it.

Where available, provide evidence of the inaccuracy.

TO EXERCISE THIS RIGHT, YOU SHOULD:

Be info

rmed

Acc

ess

Corr

ect

ion

Lim

it u

se

Port

ability

Com

pla

int

You have a right to limit or object to the processing of

all or part of your data


Make a request directly to the organization

State what you want restricted and why

Be info

rmed

Corr

ect

ion

Acc

ess

Lim

it u

se

Port

ability

Com

pla

int

You have the right to get your personal data from an organisation in a

way that is accessible and machine-readable, for example as a csv file.

As stated in Section 38(3), you also have the right to ask an organisation

to transfer your data to another organisation. They must do this if the

transfer is, as the Law says, “technically possible”.

Make a request directly to the organization.

State what you want.


Be info

rmed

Corr

ect

ion

Acc

ess

Lim

it u

se

Auto

ma

ted

Pro

cess

ing

Com

pla

int

You have the right not to be subject to a decision that is based solely on

automated processing if the decision affects your legal rights or

significantly affects you.

Automated processing (without human involvement).

Profiling.

This right is applicable under two kinds of circumstances:

Be info

rmed

Corr

ect

ion

Acc

ess

Lim

it u

se

Rais

e a

Com

pla

int

Com

pla

int

Organizations should handle your personal information responsibly and

in line with good practice.

Is not keeping your information secure.

Holds inaccurate information about you.

Has disclosed information about you.

Is keeping information about you for longer than is necessary.

Has repurposed your information.

You can lodge a complaint to the Data Commissioner orally or in writing, If

you have a concern about the way an organisation is handling your

information. This can be applied when an Organization:

Be info

rmed

Acc

ess

Corr

ect

ion

Lim

it u

se

Port

ability



Data Subject Rights



[email protected]



Common Everyday Mistakes



[email protected]

TO FIX IT!

Act quickly. Try to recall the email as soon as possible. If you can’t

recall it, contact the person who received it and ask them to delete it.

In the future, consider turning off the autofill option when sending

work emails.

TO FIX IT!Ensure that you have a valid lawful basis prior to

sending any communication. You need to be careful not

to combine service and marketing messages if you do

not have a lawful basis for it.

TO FIX IT!Have a reason for keeping personal data, rather than a

reason for getting rid of it. If you’re required to keep

information for a certain length of time such as financial,

audit or legal records, document your reasons.

TO FIX IT!Institute crosschecking mechanisms for ACCURACY

when transferring personal data from manual “hard-

copies” to digital “soft-copies” formats.

Sending an email

to the wrong

person

Putting service

messages in the same

‘boat’ as marketing

Keeping personal data

you don’t need,

‘just in case’ scenarios

Inaccurate inventories

arising from

digitization

I

II

III

IV

TO FIX IT!

Ensure all web-forms and other data/registration forms capture

ONLY the required personal data that fulfils purpose of processing.

Sensitize data collectors (at registration desks) on law requirements

and appropriate interrogative techniques that ensures compliance.

TO FIX IT!Ensure you always have a lawful basis for collection

and processing. Include an EASY and ACCESSIBLE opt-

out options to subscribers. Avoid dark patterns in

design practices.

TO FIX IT!Ensure individuals understand the purpose of WHY you

are collecting their data through appropriate privacy

disclosures. You need a standard process (SOP) to

manage the disclosures and consents.

TO FIX IT!Employees who do not understand the compliance

obligations could be our weakest link. Ensure everyone

in your team (including new staff) understand their

Data Protection Law obligations.

Information Milking,

Excessive

collection of

personal data

Intrusion,

Interference and

Spamming

Lack of transparency

and/or lawful basis of

processing

Lack of awareness

amongst staff

V

VI

VII

VIII

TO FIX IT!

Have a clear desk policy and avoid “idle print outs” either on your

desk or on shared office printers. Always lock your screen when

leaving your workstation.

TO FIX IT!This is common with Analysts who generate ad hoc reports

while troubleshooting or fixing bugs, and Auditors during

analysis. Always ensure you sanitise your PCs after the

exercise by clearing any logs or reports that have

outlived their purpose.

TO FIX IT!Institute a culture of “privacy-as-a-fore-thought” within

your teams and embed privacy in all your processing such

that you CANNOT run any activity involving personal

data without embedding privacy. Champion This Course.

TO BE EFFECTIVE, YOU MUST!Know your business processes & PI inventories,

understand your handling practices, identify the risks,

keep risk registers and ensure proper risk management

measures are effectively applied.

Accidental

disclosure or

exposure

Retaining logs & reports

after analysis,

troubleshooting or

auditing

Compliance is a process

and not a destination

You are the

Champion in your

Team!

IX

X

XI

XII

SANCTIONS UNDER THE ACT

General Penalty

Applies where specific penalty is

not prescribed. Fine up to KES 3M

or prison up to 10 years, or both.

Specific Penalty

Fine up to KES 5M or prison

up to 2 years, or both.

Issued by the courts for

specific offences.

Compensation

A person who suffers damage

(including financial and non-

financial loss) by reason of a

contravention of the Act is entitled

to compensation for that damage

from the data controller or

processor

Injunction

Court may order or prohibit the

doing of any act to stop a

continuing contravention

Administrative Penalty by

Data Commissioner

The lower of up to KES 5 million or

up to 1% of annual turnover for

preceding financial year. For non-

compliance with the Act

Forfeiture

Court may order forfeiture of any

equipment or article used or

connected in any way with the

commission of an offence.



[email protected]


Thank You.

DPO’s definite Workspace

Documents

Transcript of DPO’s definite Workspace