The Data Protection Act (hereinafter referred to as “the Act”) came into force in Kenya on the 25th November 2019 to inter alia regulate the processing of personal data and to provide a legal and institutional mechanism to protect personal data. Since its enactment, institutions have been trying their best to comply with the provisions of the Act. As organizations try to be compliant, the government on the other hand is working around the clock to ensure that the Republic has good data protection regulations.
Further, the most recent act by the Public Service Commission to declare the office of the Data Commissioner vacant and short-listing candidates for the position, is just a step toward operationalizing the Act.
The Data Protection Officer.
Some of the means through which institutions are complying with the Act, is by establishing Data Protection Offices and also appointing Data Protection Officers (DPO). This article shall therefore, look into the important role that the DPO plays in an organization.
A DPO is an enterprise security leadership role introduced by The Data Protection Act. DPOs are responsible for overseeing a company’s data protection strategy and its implementation by ensuring compliance with the requirements of the Data Protection Act. Under Section 24 of the Act, a Data Controller or Data Processor may designate or appoint a Data Protection Officer on such terms and conditions as they may determine. The appointment is done where:
- the processing is carried out by a public body or private body, except for courts acting in their judicial capacity; the core activities of the data controller or data processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects; or
- the core activities of the data controller or the data processor consist of the processing of sensitive categories of personal data.
The use of the word may under section 24 of the Act gives the Data Collectors and Data Processors the discretion on whether or not to appoint a DPO. This is a departure from the E.U General Data Protection Regulations (GDPR), from which the Data Protection Act has borrowed its provisions, since the appointment of a Data Protection Officer in the regulations aforesaid is couched in mandatory terms under Article 37(1).
Consequently, since there is no mandatory requirement for institutions to appoint a DPO, it implies that only organizations that deem it fit to appoint a DPO may do so. Before an organization decides on whether to appoint a DPO, it is prudent for it to consider the amount of data it collects or processes, the sensitivity of the said data, and the need to regularly and systematically monitor the data subject.
Qualifications of A Data Protection Officer.
The Data Protection Act just like the EU GDPR, does not outline any specific credentials for the appointment of a DPO. However, Section 24(5), states that a person may be designated or appointed as a data protection officer if that person has the relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection. Therefore, when appointing a DPO, institutions will be required to appoint candidates with expert knowledge, technical skills, and professional qualifications that relate to the role of the DPO.
Borrowing from best practice, companies may appoint experts with knowledge in data protection laws or IT professions that are familiar with the company’s IT infrastructure, technology, technical and organizational structure. Additionally, companies may designate their existing employees to act as DPOs. However, this designation should be done with great caution to avoid conflict of interest as per the requirement of section 24 (2) of the Act.
Duties of the Data Protection Officer.
The responsibilities of a duly appointed Data Protection Officer are outlined under Section 24(7) of the Act and Clause 20 of the Proposed Data Protection (Civil Registration) Regulations, 2020. In a nutshell, the Act places the responsibilities of advising, monitoring compliance, facilitating capacity building, and promotion of cooperation in data processing activities.
It is also the responsibility of the DPO to advise the Data Controller or Data Processor and their employees on data processing requirements provided under the Act or any other written law. Further, the DPO is required to advise the Data Controllers on the Data Protection Impact Assessment. A Data Protection Impact Assessment is an assessment of the impact of the envisaged processing operations on the protection of personal data. This role of advice is very crucial as the Act emphasizes the need to conduct a Data Protection Impact Assessment in cases where processing operations are likely to result in a high risk of infringement of the rights and freedoms of a data subject, by virtue of its nature, scope, context, and purposes.
Further, it is the duty of the DPO to ensure that the Data Controller or Data Processor complies with the provisions of the Act. This will require the DPO to data processing activities in an institution and ensure that they comply fully with the Act and any other data protection law more so upholding the principles of data protection such as lawful processing of data and observance of the right to privacy. Monitoring will also include making sure that an organization’s data system is efficient.
Moreover, the DPO is tasked with the responsibility of promoting capacity building among the staff involved in data processing operations. This requires a DPO to educate staff on how to deal with data and how-to comply with the Data Protection Act and other Data Protection Laws. This can be achieved through training and coming up with company manuals on data protection.
Lastly, DPOs also serve as the points of contact between the company and any Supervisory Authorities that oversee activities related to data protection. This includes the office of the Data Commissioner which shall play a very crucial role in the implementation of the Act.
In light of the foregoing, a DPO plays a fundamental role in ensuring that the principles of data protection are adhered to in an organization in data processing. It is therefore opined that although the provisions of section 24 of the Act with regard to the appointment of a DPO are not couched in mandatory terms, Data Controllers and Data Processors should appoint the DPOs to assist entities that engage in data processing and controlling activities to adhere to the core principles relating to data protection.
There is also a need for the Data Controller and Processor to cooperate with the Data Protection Officer and ensure that he or she is provided with the requisite resources to carry out their tasks and processing operations.
Further, it is important to maintain the independence of the DPO’s office. To this end, the Data Controller and Processor should afford the DPO an opportunity to perform their functions without exercising any form of undue influence or coercion on them. On the other hand, the DPO shall be required to maintain confidentiality and secrecy while performing their duties.
This article is provided free of charge for information purposes only; it does not constitute legal advice and should not be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary as set out in the article should be held without seeking specific legal advice on the subject matter. If you have any query regarding the same, please do not hesitate to contact the following: Faith Mwaka or Joseph Muhuni vide firstname.lastname@example.org or email@example.com respectively.