#WhatsGood Data Privacy & GDPR

L to R: Femi Omere, Winnie Githire, Wangui Kaniaru, Somet Kipchilat, Ashley King-Bischof

On 19th June 2018, Nest Group Africa launched its latest thought-leadership and education series called #WhatsGood.

The inaugural event focused on Data Privacy & GDPR with the support of Microsoft and Anjarwalla & Khanna, which is part of the prestigious Africa Legal Network (ALN).

The overall goal of the event was to discuss the basic terminologies behind data privacy & GDPR and get the audience engaged and thinking existentially about data privacy as a concept.

This article is the first installment to a GDPR and Data protection themed series Mettā has put together on GDPR, changing landscape of Business in the context of protecting data, and how organizations can get your their data organized and GDPR/future regulation compliant.

Panelists included:

Key takeaways:

Question 1: What is GDPR and how did we get here?

GDPR is a EU law that came to effect on May 25, 2018. The GDPR is a comprehensive regulatory response, and is designed to do 3 things:

• Harmonize data privacy laws across Europe.
• Protect and empower all EU citizens’ data privacy.
• Reshape the way organizations across the region approach data privacy.

The main idea behind GDPR is to protect personal data and the fundamental human right of privacy. Read more here on the important regulatory events leading up to GDPR.

GDPR changes how we think about data within the following contexts:

• Breadth of data: nature of definition of data, identity and various actors.
• Depth of data: substantial rights for data subjects and obligations for people who use data that’s owned by data subjects.
• Width of data: Scope, unlike limitations from previous regulations (industry and impact in terms of geography).

Question 2: Does GDPR affect organizations in Africa?

According to Dalberg, there is no African country that is currently deemed compliant with GDPR. This means that $14 Billion of Africa’s digital economy export is at risk.

Here are real business scenarios that can affect African companies:

Courtesy: Dalberg Report on GDPR Implications for Africa.

Question 3: If GDPR, applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company location, then what should you be looking at to prevent a breach?

A good way to begin is to understand the basic terminologies:

Personal Data: any information relating to identified or identifiable natural person.

Data Subject: any person whose personal data is being collected, held or processed.

Sensitive personal data: data such as racial, ethnic origin, sex life/sexual orientation, genetic data/biometric data, religious/philosophical belief, trade union membership, health

Data Controller: an entity that determines the purposes, conditions and means of the processing of personal data (.e.g a corporate HQ / central office of an organisation)

Data Processor: an entity which processes personal data on behalf of the controller. Data processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, e.g., collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Ms. Wangui Kaniaru, Partner at Anjarwalla & Khanna making a presentation during the inaugural #WhatsGood session.

Next step is to understand how consent has changed as a result of GDPR while referring to the above terminologies.

GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. A wide range of personal identifiers constitute personal data; including name, identification number,location dataor online identifier, reflecting changes in technology and the way organisations collect information about people.

There has been a change of consent to reflect:

a) The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent — meaning it must be unambiguous.

b) Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.

c) It must be as easy to withdraw consent as it is to give it.

d) Explicit consent is required only for processing sensitive personal data — in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

Question 4: How can companies comply to the new GDPR law?

While this may be complex, and largely vary from case to case. Here are a few overarching principles that your organizations should evaluate:

a) Approaches to compliance. Businesses need to perform assessments and demonstrate ability to meet the GDPR smell test. Assessment is very important and is cross cutting.

b) Resources to provided towards process for compliance. GDPR forces organizations to examine each of their processes, workstreams, and businesses and understand what data they are collecting and what they are using it for, explore measures, figure out the resources against the measures to be implemented (e.g. smart privacy by design, through the way EU residents interact with your business online), by expanding scope of privacy policy… etc.

c) Processes. Organizations need to demonstrate that they are taking steps towards compliance.

Remember: Compliance is a process, not an event.

Other relevant points to consider:

1. Evaluate how you look at data within your organisation
2. Consider whether you require an agent within EU or a Data Protection Officer (DPO)* within the organisation to be compliant. DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or © organisations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
3. Don’t put yourself at risk: privacy by design. Be a little more critical when you share personal data.
4. Improve individual organisational awareness.

Question 5: What’s the state of data protections laws in Kenya?

Article 31 in the Constitution of Kenya highlights all sections regarding data privacy. This article is general and open to interpretation. Kenya has a clear gap and lacks a regulatory authority to protect citizens private information, or who can enforce.

There are some sector specific regulations governing Telco’s — and telco’s aren’t allowed to give out your data that can be attributed to you.

An example below of the apparent gaps in Personal Data Protection in the Kenya landscape:

Unnecessarily required:

• Telephone numbers upon entry into building, recorded in black books.
• Requirement to leave your identification document at entrance to buildings.
• Pre-checked/accepted website terms and conditions.
• Employer requiring private medical data where this is not relevant.

Unnecessarily revealed:

• When you pay via mobile money, then receive unsolicited marketing/promo texts.
• Social media videos and pictures of public figures’ private affairs.
• Telecom companies dealing with private date: commoditizing private calling or texting habits + financial data, without the data subject consenting or benefiting.

Note: According to the law: Just because a person is a subscriber for telecom services from a particular telecom service provider doesn’t mean they consent to the collection, storage, retention and processing of their data.

Conclusion:

In general, there are 6 different ways the GDPR applies to your business’ information policy:

• Getting assent from your clients — each person who visits your website has to know in correct ways their own information will be utilized in future. That is the reason such a clarification should be incorporated into the “Terms of service” section of your website.
• Information access — Your clients need to know who will have an access to their own information. What’s more, when this information is no longer required, it should be deleted from the system.
• The accuracy of the information — All personal information should be consistently refreshed and updated regularly.
• Information responsibility — Your business is completely in charge of using GDPR-compliant tools.
• Information portability — Every client should be permitted to request you to give them a readable format which will incorporate all the individual information they have previously shared to your business.
• Information minimization — Your website needs to gather just the minimum amount of a individual personal information expected to make courses of action.

Nest Group Africa wishes to thank Microsoft for their continued support in making this series possible, Anjarwalla & Khanna and Chebet & Munyaka Advocates for their in-depth presentations that contributed to the making of this article.

Credit: Tollbridge International for aggregating and analyzing the insights.

**Tollbridge helps individuals and organizations create engaging and effective learning strategies/solutions for their learning and development needs. You can reach them on hello@tollbridge.co.ke