Flagging Kenya’s loopholes in implementing data privacy laws

77 per cent of the businesses indicated they have well-documented policies for customer data protection, although only 56 per cent are strictly applying them.

Data-protection laws in a country determine the number of website trackers.

A research conducted last year indicated that only 36 per cent of Kenyan companies are aware of privacy laws governing their business processes, despite the Data Protection Act being in effect since 2019.

The survey, conducted by WorldWideWorx and commissioned by global technology company Zoho, also revealed that even though businesses are concerned about the privacy of customer’s data in the hands of third-party vendors, they rely on them for revenue generation and gathering customer insights.

According to WorldWideWorx chief executive Arthur Goldstuck, the lack of awareness about the law in ‘Silicon Savannah’ is largely because the data law is not part of business-critical activities like taxation and licensing.

However, 77 per cent of the businesses indicated that they have well-documented policies for customer data protection, although only 56 per cent are strictly applying them.

“Businesses in Kenya consider themselves digitally advanced, with 28 per cent of respondents saying they were completely digital and 18 per cent saying they were close to being completely digital,” he said.

Of the 352 businesses surveyed across various industries and sizes in Kenya, 58 per cent said they allow third-party trackers on their website, mostly for sharing content on social media (64 per cent), tracking affiliate relationships (45 per cent) and ad campaigns (43 per cent).

“There is also a heavy dependence on digital ad platforms. The respondents believe that keyword search ads, at 36 per cent and social media ads (62 per cent) were quite effective for customer conversion,” the study showed.

84 per cent of businesses said the third-party ad platforms either help them meet sales targets.

Given this overreliance on third-party vendors, it is no wonder then that, even though 56 per cent of businesses express concern over the use of their customer’s data, they are largely either ‘comfortable’ or ‘neither comfortable nor uncomfortable’ with the platforms.

Even the 10 per cent who are uncomfortable state they cannot move away from the platforms as they are crucial to their business or that it is too complex to move away. Interestingly, 24 per cent businesses reported that they do not completely understand how third-party vendors utilise their customer information.

“When businesses choose to use a free tracker, they are paying for it with their consumer’s data,” said Andrew Bourne, Regional Manager for Africa, Zoho.

He added that presently, Kenyan businesses turn a blind eye to this passive data collection by trackers, most likely because they are dependent on them for revenue.

“However, consumers will eventually trust companies with transparent privacy policies that protect their personal information. Businesses hoping to stay relevant in the long term will need to either rethink their reliance on third-party platforms or demand greater transparency and accountability from them.”

Zoho said it removed third-party trackers from its website in 2020, and has never sold customer data to anyone or shown ads, even in their free products. It also owns its data centres and the entire technology stack of its solutions, promising users of data privacy and security.   Kenyan businesses believe that the data legislation, one of the first in Africa, either has had no effect (46 per cent) or a positive effect (39 per cent).

Their biggest concerns with the law are increased cost of governance at 45 per cent, increased complexity at 27 per cent and the loss of analytics data at 29 per cent.

Globally, the motivation to share customer data has been around earning more revenue from when third parties purchase the data, while consumers are inspired by getting the technology for free.

However, some companies do not disclose or clearly disclose to users which personal data is collected and which data is sold, or shared, with a third party.

“There are numerous websites that allow users to view the information that is collected or shared, but it should be the businesses’ responsibility to be transparent about the data they collect and who they sell or share it with,” Mr Bourne told Smart Business.

Kenya’s Data Commissioner Immaculate Kassait said efforts are being put to create digital business awareness to the public, with regard to the use of personal data.

“The Office of the Data Protection Commissioner has prioritized measures to ensure that the processing of personal data including the use of AI, 5G, Internet of Things and other new technologies is carried out within the law,” she said.

While noting that these technologies present policy, legal and regulatory challenges, Ms Kassait explained that among the measures her office is taking is allowing the public to report data breaches through an online portal.

“We are implementing a framework for data breach complaint resolution and another one for carrying out periodic system audits to ensure compliance.”

Companies that desist from sharing customer data with third parties are known to earn their customers’ respect, trust and loyalty. This explains why Kenyans may never hear stories of data breaches and theft of millions of money through hacking and ransomware among the country’s biggest corporates, yet they happen every week.

“If they fail to protect data, they are risking being fined through the General Data Protection Regulations (GDPR) as they have no geographical limitations. Additionally, in case of data breach, customers will move to a competitor because it failed to protect personal data, resulting in financial loss,” Mr Bourne noted.

While African governments are slowly appreciating the critical nature of protecting their citizens’ data, only a few seem to be making huge strides towards data protection.

The question of consent from customers in how their data is used has dominated global debates, but Mr Bourne said that that businesses should capture data into an app that makes it easy for them to request permission.

“Make sure the app has good access control for staff like multi-factor authentication. They will also have to ensure the company whose apps they use has good privacy policies and security policies.”

In most online data collection layers, customers are required to read long terms and conditions

regarding data, which user find tedious and go on to click ‘accept’ without knowing what they are subscribing to.

“Companies should move to producing an additional webpage or infographic which explains their policies in simple and easy-to-read format. They could be called ‘Notes to the Data Privacy Policy’ and make bullet points the most important parts of the policy so that users can easily understand what the company is doing with the data,” Mr Bourne stated.

In the event of a data breach and misuse of private information by an employee, Prof Bitange Ndemo of University of Nairobi’s Business School said that it is highly likely that a Kenyan court will find an employer vicariously liable for the misdeeds of its employee.

“Since technology has made it possible to monitor almost all communications into and out of the organisation, it has impacted on privacy. There are cases where we have some tracking devices which have Artificial Intelligence capability to even isolate emails with adverse messages about the organisation. There is need to protect our data more than ever before,” he said.


Zeen is a next generation WordPress theme. It’s powerful, beautifully designed and comes with everything you need to engage your visitors and increase conversions.

Zeen Subscribe
A customizable subscription slide-in box to promote your newsletter

I consent to the terms and conditions