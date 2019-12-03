Firms warn data Act gaps will up costs

Implementation of the same Act in Europe has seen almost Sh63 billion in fines levied on several firms. [File, Standard]

Companies have raised concerns over the lack of legal framework in the implementation of the Data Protection Act, 2019.Robert Nyamu, a digital financial officer at consultancy EY, warned that the current state of affairs has the potential to increase the cost of doing business and lead to costly court battles. This comes even as the law comes into effect with key State institutions required to administer the law yet to be established. “The Data Protection Act has already come into effect and there is a need for companies to conduct an impact assessment of what it means to them,” said Mr Nyamu.

The Act is a direct replica of the European Union (EU) General Data Protection Regulations (GDPR) that came into force last year. The GDPR has already seen almost Sh63 billion in fines levied on several high-profile cases against data privacy violations in the EU. “The GDPR had a two-year grace period to allow institutions create the systems necessary for compliance but in our case, the Data Protection Act 2019 is already in force and this can create an uncertain operating environment,” said Nyamu.

Key among the gaps in the enforcement of the legislation is the lack of a Data Protection Commissioner. According to the Act, the Public Service Commission is supposed to kick-start the recruitment of the Data Commissioner, who will establish an office that should have representation across all counties.

The Data Commissioner is also charged with receiving and investigating complaints from individuals and entities relating to data protection violations and act upon the same. The office will also be charged with the responsibility of registering all data processors and data controllers - ranging from large firms such as telcos, banks and utility, among others. “We feel the Act is rich but it does not give a lot of operational details considering how disruptive it is going to be for many firms,” explained Nyamu. “The private sector will take its cue from the government and the Data Commissioner and all companies will need to hire a data officer just like Anti Money Laundering legislation that required banks to hire money laundering reporting officers,” he explained. The costs for implementation are also expected to be higher for small firms given the scarcity of certified cybersecurity personnel in Kenya.

