New EU data laws catch Kenyan firms off-guard

IT technician working on his laptop while standing inside of a server room.

If you use the Internet often or have subscribed to online services you might have received a flurry of emails in the past few days asking you to “opt in” or give your permission to continue using the service.

This follows new regulations from the European Union (EU) governing how companies collect and use consumers’ data placing new conditions aimed at safeguarding users’ privacy online.

The General Data Protection Regulation popularly known by the abbreviation GDPR came into force midnight of May 25 and are the strongest attempt yet by regulators anywhere in the world to come up with legislation for the rapidly-shifting digital economy.

The rules require companies to inform their consumers what type of data they are gathering from them, why they are gathering this data and how long they store the same.

Companies are thus required to get the consent of their consumers to collect their personal data and provide consumers access to it as well as the right to have the data erased, or to restrict it from being processed.

In special circumstances, users can ask companies to delete the personal data they hold including if they believe the data is no longer serving the original purpose for its collection.

On Thursday, Kenya’s national carrier Kenya Airways became the latest in a long list of companies to send users emails informing them of changes in the privacy policy.

“In line with the General Data Protection Regulation (GDPR) which will be in effect from the 25th of May 2018, we encourage you to take a few seconds to give us your consent below,” read the email from Kenya Airways in part.

The airline then provides a link to the new privacy policy that, as stipulated under GDPR, entails the kind of data Kenya Airways collects on users and for what purpose written in easy-to-understand English.

“If Kenya Airways has your permission, we may use the functionality on your device (such as Bluetooth, Wi-Fi and GPS) to determine your location to assist with flight connections, boarding our aircraft as well as provide a personalised service (you can access or change this option by amending the location settings on your device),” explains the privacy policy under one of the notes detailing the types of data the airline collects.

Companies that fail to comply with GDPR face stiff penalties that could include fines of up to 4% of their turnover or €20million (Ksh2.3billion), whichever is greater. Companies can be fined even if the data has not been lost.

Cambridge Analytica

Mr Pieter Bensch, head of software company Sage in charge of Middle East and Africa says although GDPR have been passed by the EU Parliament and cover citizens of the 28-member bloc, any organisation that processes the data from users in Europe will be expected to comply.

“If you sell African fashion to European residents via an e-commerce website, you will need to review your processes and systems around managing and processing personal data, for example,” he explains.

“Business-to-business companies will also be affected for instance,” explains Mr Bensch, “If you provide software development or call centre offshoring services to European companies, they will expect to you to comply because GDPR puts an onus on organisations to ensure their third-party suppliers handling personal data are compliant.”

The new laws come in the wake of revelations that political campaign firm Cambridge Analytica exploited the data of more than 80 million Facebook users through a third party app on the site. The data was then used to create psychographic profiles used in the election campaigns globally including the US and Kenya.

In Kenya, the greatest privacy pain point has been the mobile phone with consumers routinely complaining of unsolicited text messages from advertisers and in some cases like the just concluded elections, politicians.

Many Kenyans took to social media last year complaining about receiving numerous unsolicited campaign text messages from aspiring politicians even as they had not registered their phone numbers to such services.

Betting companies and supermarkets have similarly been on the receiving end of spamming consumers with marketing promotions that demand the user spend more money to opt out.

Kenya does not yet have a data protection law with the Ministry of Information and Communications Technology earlier this month forming a taskforce to look into legislation regarding data protection and artificial intelligence.

In the meantime, the GDPR will suffice with several other countries indicating they will align their data regulation to standards provided by the EU.

Bensch explains it is just a matter of time before compliance becomes a necessity for the majority of companies.

“The GDPR will set a new pace for global data protection and privacy regulation, so compliance will help prepare companies for the future.” With the EU a major trading partner for most African countries, many governments look to EU regulation for best practices and will in time adopt the laws to fit their local demands.

[email protected]