The Covid-19 pandemic has drastically changed the work environment and as a result the use of technology and data protection laws have been discussed and intensively debated globally.
On July 16th 2021, the Luxembourg Data Protection Authority delivered a decision that resulted into Amazon being fined 746 million Euros that centred on their infringement of processing personal data without consent in violation of the European Union’s General Data Protection Regulations (GDPR). This decision serves as a warning to several companies around the world to ensure they duly comply with jurisdictional Data Protection laws.
What practical steps can companies take to ensure compliance with data protection laws?
Article 31 of the Constitution of Kenya read together with the Data Protection Act, 2019 provide for the right to privacy and data protection in Kenya. Considering this, this alert highlights the options available to companies that control and process data to ensure compliance with the Data Protection laws in Kenya.
- Data protection by design: Companies are encouraged to implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start. Companies can achieve this using pseudonymisation where personally identifiable data is replaced with artificial identifiers and using encryption where messages are encoded so that only those authorised can read them.
- Data protection by default: Companies should ensure that personal data is processed with the highest privacy protection so that by default personal data is not made accessible to an indefinite number of persons. This can be achieved by limiting accessibility of the data even amongst the employees of the company.
- Companies should establish time limits to erase or review the data stored. This is to ensure data is stored for the shortest time possible to reduce the risks of data breach. Companies however ought to consider the reasons why their organisations need to process the data, as well as any legal obligations to keep the data for a fixed period of time.
- Companies should develop a data protection policy and clearly communicate it to the employees of the company. Data protection policies help companies comply with relevant regulatory and legal requirements notably those linked to data protection, data and document management, access to data and documents, intellectual property and information security thereby reducing associated risks.
- Review employment contracts to include a multi-disciplinary approach/measure for situations where employees voluntarily and negligently cause data breach on the data processed or controlled by the company. This will help with the issue of accountability.
Conclusion
The COVID-19 pandemic has undoubtedly shone light on the importance of data protection laws. However, Data Protection legislation will not be worth the piece of paper it is written on if there is little to no enforcement of workplace data protection standards or policies and the biggest losers will continue to be data processing and data controlling companies.
Disclaimer The above alert is meant for general information and does not constitute legal advice. In case of any inquiries or if you require any further information or advice on how to implement data protection standards and policies at your company, please feel free to contact us at [email protected] or visit our offices on 8th Floor, CMS Africa House, Nairobi or on 3rd Floor, Ritah Plaza, in Kakamega.