The GDPR which comes into force on 25 May 2018 replaces the Data Protection Directive 95/46/EC and is designed to support the single market, to harmonize data privacy laws across Europe, to protect and empower European Union (EU) citizens’ data privacy and reshape the way organizations approach data privacy for EU citizens wherever they work in the world.
While GDPR is slated to have global and far-reaching ramifications, a degree of uncertainty looms amongst Kenyan companies, especially those which are engaged in outsourced data processing activities (whether captive or otherwise) and consequently deal with personal data of data subjects in the European Union (EU). This uncertainty is mainly with respect to the applicability of GDPR and its implications on their businesses. The penalty scheme prescribed under the GDPR is also a cause of concern for such companies since GDPR permits enforceability against a data processor directly.
Are Kenyan data processing companies subject to GDPR?
The definition of data processor under GDPR has a very wide connotation. It means any operation performed on personal data such as collecting, recording, structuring, storing, using, disclosing by transmission and even includes erasing and destroying. Article 3 (Territorial scope) of GDPR makes it clear that it will be applicable regardless of whether the processing takes place in EU or not.
Therefore, a Kenyan company processing personal data in context of activities of an establishment of a controller or processer in EU, in all likelihood will fall within the ambit of GDPR.
What should Kenyan data processing companies expect?
Prior to undertaking any processing activity, Kenyan companies will be required to enter into a contract with their customer (generally, a data controller). Such contract will stipulate the subject-matter and duration of processing activity, its nature and purpose and the type of personal data and categories of data subjects.
By way of such contract, a customer (the data controller) will seek from a Kenyan company a flow down of the following obligations:
- Implementation of appropriate organisational measures to ensure
- pseudonymisation and encryption of personal data;
- confidentiality and integrity of processing systems;
- restoration of availability and access to personal data after a physical or technical incident; and
- regular testing and evaluation of such measures;
- In the event of a personal data breach, the same must be notified to the customer without undue delay after it becomes aware of such personal data breach; and
- Carry out a data protection impact assessment prior to commencement of the processing activity.
It must be noted that GDPR mandates that the contract between data controller and processor will necessarily comprise of the obligations stated above. In addition to the foregoing, a Kenyan company carrying out data processing will also be under obligation to allow the customer to conduct an audit and inspection of its systems to demonstrate compliance with the above. Further, the right of a data processor to subcontract their obligations has been curtailed and made conditional to the data controller’s approval. Therefore, the ability of a Kenyan process outsourcing company to refuse flow-down of contractual obligations has been severely impacted.
A keystone of GDPR is the stipulation of ‘adequacy requirements’ which restrict the transfer of personal data to any third country or international organisation that does not “ensure an adequate level of protection.” In doing so, the European Commission will consider whether the legal framework prevalent in the country to which the personal data is sought to be transferred, affords adequate protection to data subjects in respect of privacy and protection of their data. In Kenya, the current legal framework pertaining to data privacy and protection is far from lucid.
In this era of globalization and integrated product offerings, the generation, use and flow of personal data has been amplified considerably. In the process, both private as well as public entities have acquired access to personal data of individuals, giving rise to concerns with respect to collection, processing, use, storage of such personal data. With the advent of GDPR, many of these concerns in respect of EU citizens will be dispelled to a considerable extent.
Most multinational companies find themselves increasingly dealing with personal data of EU citizens. Kenyan companies that engage in data processing also gain access to such information as a part of their day to day operations, bringing them within the ambit of GDPR. Simultaneously, GDPR casts some onerous obligations on a data processor. Many of these will entail significant time and capital investment to comply with. Further, data controllers now have a statutory basis for claiming contractual protection from data processors. Earlier, such flow-downs were a subject of commercial negotiation between the parties and could be subverted on that ground. Undoubtedly, this will place Kenyan companies in a precarious position in comparison to their standing in the period preceding the enforcement of GDPR.
To add to this, whether or not Kenya will meet the ‘adequacy requirements’ will be discerned by the manner and profundity with which the Forthcoming Legislation deals with these ‘adequacy requirements’.
Notwithstanding, the author feel that this presents a golden opportunity to Kenyan data processing companies to revisit their data protection, information security and confidentiality policies and make them compliant with global standards. This pre-emptive step will not only help them in sustaining their businesses, but also in securing compliance with GDPR, Forthcoming Legislation and other global best practices.