At least 40 digital lenders will be checked by Kenya’s Office of the Data Protection Commission (ODPC) for data breaches involving their clients.
The ODPC wants to set up a data processing system that is open and accountable and that promotes and protects the right to privacy of Kenyan citizens. This makes people less likely to get hurt and helps the ODPC control data processing more effectively.
They reported that they received 1,030 complaints and accepted 555 of them, 299 of which were against online lenders who had stolen clients’ personal information.
Obstacles to Registering With OPDC
Most businesses have said that a lack of employees and resources is a big problem when it comes to meeting the requirements of the Data Protection Act for data protection and privacy.
Also, consent management has turned out to be a big obstacle to compliance, making it hard for companies to get information, figure out what sensitive data may be needed, and then use that information as proof in a dispute.
The poll also showed that one of the hardest things for businesses to do to follow the Data Protection Act (DPA) is to stop data from leaking and from being accessed by people both inside and outside the organization.
Read: Visa Gets New Manager to head its South Africa Operations
More on the Success So Far with Registering With OPDC
The Central Bank of Kenya (CBK) has not issued licenses to the 40 digital lenders under investigation (CBK). The CBK licensed only 10 digital lenders in September out of a total of 288 applicants who had submitted licensing applications in March.
This audit is happening at a time when the Kenyan government, through the CBK, is trying to get rid of any bad people in the digital lending sector.
The ODPC issued a statement saying, “This is just one among many other complaints being investigated by the Office.”
“We want to reassure the public that all complaints will be looked into and dealt with in the right way,” they said.
When You Must Register With OPDC
You must register with the ODPC if you are not situated in Kenya but are processing a data subject’s personal information there. The focus is on the subject’s location, not yours.
If your company had a turnover of fewer than 5 million shillings in the previous fiscal year and employed less than 10 individuals, you are free from registration.
You might still need to register with the ODPC even if you only meet one of the requirements. Consider a scenario where you have more than 10 employees but a less-than-$5 million yearly turnover from the prior fiscal year. In that situation, you must register your company as a “data controller” or “data processor” for micro and small businesses.
You must register with the ODPC and will not be exempt if you process personal data within public sector bodies (electoral campaigns are not excluded), educational organizations, credit bureaus, crime prevention and prosecution of offenders (operating security CCTV systems are not excluded), betting and gaming platforms, telecommunication, hospitality services, hospitality services, financial services, businesses that base on direct marketing, internet access, transport services, health care organizations, property (management and sale), and processors of genetic data.
Why the Government of Kenya wants You to Register with OPDC
The government of Kenya is concerned with protecting the data of its citizen. However, there have been reports of how personal data were linked. It is also important to know why data protection is important to understand why an Act for it should exist.
A collection of tactics and procedures known as data protection can be used to safeguard the confidentiality, accessibility, and integrity of your data. It is also referred to as data security at times. A service the OPDC is aiming to offer.
Any organization that gathers handles or maintains sensitive data must have a data protection strategy in place, which is why they must register with OPDC to safeguard the citizens. An effective approach can lessen the effects of a breach or disaster and assist prevent data loss, theft, or corruption.
Data protection guidelines aid in preserving data and ensuring its accessibility at all times. It includes adopting elements of data management and availability and covers operational data backup and business continuity/disaster recovery (BCDR).
Previous Actions by OPDC
OPDC warned companies in 13 previously exempt areas to abide by the registration requirements under the Data Protection Regulations 2021. According to the regulation, data controllers and processors must register with the ODPC if they meet specific requirements. In its most recent flagging, the ODPC urged organizations, including pubs, restaurants, dispensaries, and schools, to register regardless of their yearly sales volume or personnel strength.
If ODPC checks at least 40 digital lenders for data breaches involving its clients, more digital lenders will join in, and more data will be protected.