Data Protection For SMES

Data Protection For SMES
Data Protection For SMES

The Case for Embracing Data Protection data has become one of the most important assets a business can own, similar to property, or capital.

The Case for Embracing Data Protection 

Data has become one of the most important assets a business can own, similar to property, or capital. Therefore, the importance of safeguarding personal and sensitive data cannot be overstated. With the establishment of the Data Protection Act and creation of the enforcement body, the Office of the Data Protection Commissioner (ODPC), SMEs are now at risk of committing an offence and facing steep penalties for non-compliance. 

Now more than ever, SMEs must embrace data protection, not only to ensure compliance with legal requirements but to also build trust with key stakeholders, mitigate risks associated with data breaches, and enhance overall business reputation. As Kenya continues to evolve its data protection landscape, SMEs must prioritise the protection of personal data to stay competitive and secure in the market. 

Data Protection Principles 

To begin understanding data protection, we must first explore the key principles that underpin it. 

1. Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and in a transparent manner. Data handlers must be expressly clear, open, and honest about the intended use of personal data prior to collection. They must not process the data in a way that would be unduly detrimental to the data subjects. 

2. Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.   

3. Data Minimisation: Only data that is necessary for the purposes stated should be collected. Data handlers must only collect data that is sufficient to fulfil the purpose, relevant to that purpose and the volume should limited to what is strictly necessary. 

4. Accuracy: Personal data must be accurate and, where necessary up to date. When required, reasonable steps should be taken to ensure that any inaccurate personal data is erased or rectified without undue delay. 

5. Storage Limitation: Data should not be retained for longer than necessary. Once the personal data has become obsolete, can no longer be used for the purpose of processing, data handlers must take reasonable steps to destroy it.  

6.    Data Transfer: Data should not be transferred outside Kenya to another jurisdiction unless there is evidence of adequate data protection safeguards at the destination or consent from the data subject. 

7. Privacy: Data must be processed in accordance with the right to privacy of the data subject. 

8. Accountability: Data handlers are responsible for, and must be able to demonstrate compliance with these principles. Data subjects must be able to exercise their data subject rights without being unduly impeded.  

Data Controller vs. Data Processor   

Understanding the roles of data controllers and data processors is crucial for SMEs. This will serve as the basis for building out a business’s data governance framework as data controllers and processors have differing responsibilities.   

Data Controller: This is the entity that determines the purposes and means of processing personal data. Controllers have the primary responsibility for ensuring that data protection principles are adhered to.   

Data Processor: This is the entity that processes data on behalf of the data controller. Processors act on the instructions of the controller and ensure the security of the data. 

table showing the roles between data controller & data processor
 

Do You Need to Register? 

Under the Data Protection Act, SMEs handling personal data must register with the ODPC. Businesses may be exempted if they meet both of the following criteria: 

  1. Have less than ten employees; and 
  2. Have an annual turnover of under Kshs 5,000,000. 

However, businesses that operate in any of the following sectors are not eligible for exemption and must register: 

  • Political organisations; 
  • Gambling; 
  • Education; 
  • Hospitality industry (excluding tour guides); 
  • Financial services; 
  • Crime prevention and prosecution of offenders; 
  • Direct marketing firms; 
  • Transport service firms (including online passenger hailing applications); 
  • Genetic data processing firms; 
  • Property management companies; 
  • Health administration and provision of patient care; and 
  • Telecommunications network or service providers. 

The registration process involves providing details about the types of data processed, the purposes of processing, and the security measures in place to protect the data. Applicants must also provide details on their organisation, including establishment documents, contact details of a designated Data Protection Officer (DPO), the previous year’s financial turnover, employee headcount. A registration fee must be paid; however, this will vary depending on the size of the business, annual turnover, and number of employees. 

Responsibilities as a Data Handler 

Data handlers have several responsibilities, these are as follows: 

Data Collection: Ensure that data is collected in a lawful, fair, and transparent manner, with the consent of the data subjects obtained where necessary. 

Data Security: Implement appropriate technical and organisational measures to protect personal data from unauthorised access, alteration, or destruction. 

Data Access and Correction: Allow data subjects to access their data and request corrections to any inaccuracies. 

Data Breach Notification: Data controllers must notify the ODPC and the affected data subjects of any data breaches within 72 hours of becoming aware of them (data processors must report to data controllers within 48 hours).  

Data Retention and Deletion: Retain data only for as long as necessary and ensure secure deletion of data that is no longer needed. 

Data Localisation: Meet localisation requirements by processing personal data through a data centre in Kenya or by storing and maintaining a copy of the personal data within Kenya. 

 Practical Steps for Safeguarding Data Protection and Compliance   

  1. Conduct a Data Audit: Identify the types of personal data you collect, process, and store, and map out data flows within your organisation. 
  2. Develop a Data Protection Policy: Create a comprehensive policy that outlines how personal data is handled, protected, retained, and managed within your organisation. 
  3. Implement Security Measures: Use encryption, access controls, and regular security audits to protect data from unauthorised access and breaches, for example, activating two-factor authentication. 
  4. Train Employees: Educate your staff about data protection principles, their responsibilities, and the importance of safeguarding personal data. 
  5. Establish Data Subject Rights Procedures: Set up processes to handle data subject requests for access, correction, and deletion of their personal data. 
  6. Regularly Review and Update Practices: Continuously monitor and update your data protection practices to maintain compliance with the evolving regulations and industry standards.  

Conclusion   

By taking these steps, SMEs can ensure that they are not only compliant with the Data Protection Act but also foster trust and confidence among their stakeholders. Embracing data protection is not just a legal obligation but a strategic business practice that can lead to sustainable growth and success. At CM SME Club, we offer tailored data protection solutions for SMEs at affordable rates, including in-house DPO services. For further information or support, please contact law@cmsmeclub.com. 


Published on Aug. 22, 2024, 1:10 p.m.