Kenya’s Office of the Data Protection Commissioner (ODPC) has given certificates to 1,623 data processors and controllers following the start of the registration in mid-July last year. The registration process kicked off after the enactment of a new set of regulations by Parliament in March.
The number of data handlers is a slight increase from 1,417 at the end of January this year. This means 206 entities received the regulatory approval in two months. As at September 2 last year, ODPC said it had issued 332 certificates
Data Protection Commissioner Immaculate Kassait launched the Data Protection Registration System in January, enabling applicants to take personal charge of the registration process. Ms Kassait had also revealed that the certificates would be renewable after every two years.
“The new registration system will be able to display the entire process of registration and everything will be completed online,” said Ms Kassait. “So you go to the website, you apply for registration, we verify your documents and we issue a digital certificate renewable after two years.”
The rules enacted by Parliament require all entities handling personal information of individuals to register as data controllers or processors. They include the data protection (General) regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
Firms that flout the rules are liable to fines of not more than Sh5 million or up to one percent of their annual turnover.
The legislative intervention came on the backdrop of increased complaints about the lack of data protection laws coupled with abuse of personal information especially by among others, digital lenders, political parties and human resource departments.
Among the entities targeted by the new legal regime include telecommunications companies, building managers, CCTV operators, digital ride-hailing service providers, dispensaries and schools.
Ms Kassait has put 13 sectors on the radar for compulsory registration including processors of genetic data like bars, restaurants, medical research companies and healthcare labs. Others earmarked are law firms, real estate agencies, digital lenders, Saccos and mobile money agents.
Organisations that have an annual turnover of less than Sh5 million or less than 10 employees were exempted from registration.