Saccos, NGOs, research firms and small and medium enterprises (SMEs) have been faulted for failure to comply with data privacy laws, putting at a potential risk customer and employee personal information under their custody.
A new survey shows that the organisations have lagged behind in adoption of technology that prevents data theft or destruction. They have also not appointed data protection officers and trained their employees as prescribed by the new data protection laws. This means data under the custody of these entities can easily be breached or transferred to third parties and the victims will not have recourse.
The 2022 Data Protection and Privacy Survey report by consultancy firm Ernst and Young further indicates that these entities have been slow in seeking registration as data processors or controllers with the Office of Data Protection Commissioner (ODPC).
On the other hand, the report found
The survey says banks, insurers, telcos and healthcare firms lead in compliance with data privacy laws and registration, which as seen them reduce intentional breaches of personal information. The survey follows a similar report released last year showing more than a fifth of Kenyan companies shared customer financial and personal information without consent.
“Certain industries are aware (of their obligations), and we want those lagging, like saccos, NGOs and others to catch up with the banks so that we do not have either intended or unintended selling of data or transfer of data,” said Ernst & Young digital, analytics and cybersecurity solutions partner, Robert Nyamu.
The compliance by large corporates such as banks has also been driven by their considerable financial muscle, while some have a presence outside the country with the Act requiring them to meet certain demands, especially if they need to transfer personal data to another country.
The regulator is also set to make data privacy compliance and registration a necessity for business operation and licensing.