DATA PROTECTION OFFICER APPOINTMENT IN KENYA

The emergence of data-oriented business models has raised the bar significantly in terms of handling and processing customer data. The personal data that individuals provide to businesses are processed to enhance processes and determine revenue models. Business entities and other bodies that process personal data are governed by the Kenya Data Protection Act, 2019(henceforth DPA). The Data Protection Act of Kenya (DPA) is the main national legislation that regulates the processing of personal data in Kenya and categorizes processing entities under two distinct titles, namely, Data Controllers and Data Processors.

Data controllers are entities that determine the ‘purpose’ and ‘means of the processing of personal data and are distinguished from Data processors are entities that process personal data on their behalf and on the terms and conditions determined by the Data Controller. Data Controllers and Processors are regulated by the DPA, if:

• They are established or incorporated in Kenya.
• Ordinarily, reside and process data in Kenya; or
• Process data of individuals (henceforth Data Subjects) who reside in Kenya.

A Data Protection Officer (DPO) is a natural or legal person appointed by a Data Controller or Processor to assist with compliance of provisions outlined under the DPA for the duties and responsibilities of a Data Controller or Processor.

The overarching obligation of the DPO, to their contracting Data Controller or Processor, is to possess a thorough comprehension of the processing activities and an understanding of the possible risks arising from said processing activities.

Therefore, the DPO must take into account the nature, scope, context, and purpose of processing activities, which will, in turn, inform and modulate the tasks undertaken in proportion to the ‘risks’ posed to the fundamental rights and freedoms of the Data Subjects.

A Data Subject’s personal data should be processed in accordance with the data protection principles and provisions enshrined within the DPA. The European Union General Data Protection Regulation (henceforth GDPR) which came into force in May 2018, shares numerous identical provisions with the DPA, particularly pertaining to the Designation of the DPO i.e., Article 37 of the GDPR and Section 24(1) to (6) of the DPA and the general ‘Tasks of the DPO’ as under Article 39 of the GDPR and Section 24(7) of the DPA.

This article seeks to expand on the provisions of the DPA pertinent to the DPOs obligations based on GDPR guidelines developed by Article 29 Working Party (WP29), which has now been replaced by the European Data Protection Board (EDPB). These guidelines offer an insightful interpretation of the applicability and legal requirements of the GDPR and as such can assist in the interpretation of the DPA.

The DPA does not obligate Data Controllers or Processors to appoint a DPO, which is evident from the diction of Section 24(1) which provides that “a Data Controller or Data Processor MAY designate or appoint a DPO…”. If this section stated that “a Data Controller or Data Processor SHALL designate or appoint a DPO…”, as is the case with the GDPR, the provision would have made it mandatory for all Data Controllers and Processors, that fulfilled the requirements, to appoint DPOs. The DPA does, however, outline when the appointment of a DPO is necessary.

The following near-identical provisions enshrined under Section 24(1) of the DPA and Article 37(1) of the GDPR enumerate the circumstances for the appointment of DPOs. These include, where:

1. the processing is carried out by a public body or private body, except for courts acting in their judicial capacity.
2. the core activities of the data controller or data processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects; or
3. the core activities of the data controller or the data processor consist of the processing of sensitive categories of personal data.

Section 24(1)(a) of the Act however, with definitiveness, states that Courts, and possibly tribunals, when acting in their judicial capacity do not require the services of a DPO. ‘Core activities’ as outlined in Section 24(1)(b) of the Act are those that pertain to the processing of Data Subjects information must constitute the primary business activities or functions of the Data Controller or Processor. This provision also creates a secondary condition that recognizes the need to appoint a DPO when the monitoring of Data Subjects information is performed on a ‘regular’ and ‘systematic’ basis. The WP29 expanded on the terms ‘regular’ and ‘systematic’, and are defined as follows:

1. Regular processing or monitoring:
2. Ongoing or occurring at particular intervals for a particular period.
3. Recurring or repeated at fixed times; or
4. Constantly or periodically taking place.
5. Systematic processing or monitoring:
6. Occurring according to a system.
7. Pre-arranged, organized, or methodical.
8. Taking place as part of a general plan for data collection; or carried out as part of a strategy.

The ‘systematic’ requirement highlights the ‘intent’ of Data Controllers or Processors, as they feature the application of pre-determined terms of processing to the data under their control. Examples of processing activities that fulfil the above requirement include:

• Operating a telecommunications network
• Data-driven marketing activities
• Location tracking, for example, by mobile applications

According to the GDPR, the ‘regular’ and ‘systematic’ test requires cumulative application when interpreting Article 37(1) of the GDPR, and consequently Section 24(1) of the DPA should be interpreted in a similar manner. This implies that a Data Controller or Processor should essentially appoint a DPO when they engage in processing activities that qualify as both ‘regular’ and ‘systematic’ by virtue of their nature, scope or purpose. Section 24(1)(c) the Act provides that a DPO would be recommended if the core activities of the Data Controller or Processor involve the processing of sensitive data.

Sensitive data is defined as any data pertaining to a natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, sex or sexual orientation. This category of data is subject to stricter regulations and limited grounds for processing under the DPA. In addition, as per Section 44 of the Act, no category of sensitive personal data shall be processed except where the principles of processing personal data are applied, observed and respected.

Although the DPA contains no provisions relating to the mandatory appointment or designation of a DPO, it is highly recommended that Data Controllers or Processors that engage in activities that fall within the scope of Section 24(1) appoint an internal or external DPO. The appointment of DPOs, demonstrate generally, legal compliance with the provisions of the DPA and would serve as effective mitigation to reduce the liability of Data Controllers and Processors upon the occurrence of a data privacy breach.

Here we seek to delve into what a DPO is actually tasked to do as outlined under section 24(7) the DPA as read with Article 39 of the GDPR. The Act under Section 24(7) establishes the key responsibilities of DPOs to their respective Data Controllers or Processors, and in relation to the Data Protection Commissioners Office, established under Section 6 of the Act. These responsibilities are akin to those provided under Article 39 of the GDPR.

The DPO must have due regard to the ‘risks to the rights of the Data Subjects’ in relation to the processing activities conducted by the Data Controllers or Processors. Therefore, a DPO would be expected to have full comprehension of the nature, scope, context and purpose of the intended processing activities.

Below are the expressly provided minimum tasks and obligations of a DPO under Section 24(7) of the DPA:

1. Advise Data Controller Or Processor, Including Their Staff, On Legal Obligations Under The DPA And Other Relevant Laws. (Section 24(7)(a))

The DPO is responsible for advising and informing the Data Controller and the Processor about their respective data protection duties and responsibilities as enshrined under the DPA and other relevant national laws, regulations, and guidelines concerning data protection. DPOs are obliged under Section 24(7)(d) to provide advice on Data Protection Impact Assessments (DPIAs) to the party that has appointed them. The DPO is expected to be a guide with regards to compliance and accountability measures based on the particular context of risk. Examples of this are outlined under Part IV of the DPA which relates to ‘Principles and Obligations of Processing Data’.

• Monitoring Compliance With The Provisions Of The DPA. (Section 24(7)(b))

A DPO is required to assist the Data Controller or Processor to monitor internal compliance with the provisions of the DPA and other relevant national laws and regulations in tandem with the Data Controllers or Processors’ own internal security policies by

• Collecting information to identify processing activities.
  • Analyzing and check the compliance of said processing activities; and
  • Informing, advising, and issuing recommendations to the Data Controller or Processor.

According to the WP29, data protection compliance is a corporate responsibility of the Data Controller, not of the DPO. Therefore, in instances of non-compliance, the DPO ideally should not be held personally liable.

This position is supported through the diction of Section 41 DPA, which makes the Data Controller or Processor, not the DPO, responsible for the implementation of appropriate technical and organizational measures. It is yet to be determined whether DPOs can be held vicariously liable for non-compliance that resulted in a data privacy breach.

• Facilitate Capacity Building Of Staff Involved In Data Processing Activities (Section 24(7)(C))

The appointed DPO must identify all members of staff who engage and interact with various forms of data collected, and their level of interaction with the same. Staff are to be adequately informed of the potential risks and threats to the data, as well as their obligations and duties in relation to ensuring data privacy and preservation of the Data Subjects’ rights.

The DPO will be expected to engage in some of the following activities in order to mitigate the risk of data breaches precipitating from acts or omissions of the staff members:

• Assignment of the data protection responsibilities to staff based on the nature, scope and purpose of the processing activities.
• Data protection awareness initiatives; and
• Periodical training sessions of staff performing personal data processing and related audits.

• Advice On Data Protection Impact Assessments (DPIAs) (Section 24(7)(d))

The DPA under Section 31 impels Data Controllers or Processors to undertake Data Protection Impact Assessments (DPIA) where processing activities can lead to potentially high risk to the rights of respective Data Subjects. A properly conducted DPIA will serve as an effective warning system that equips all actors within an organization to systematically address all potential deficiencies in their processing activities that can infringe upon the rights of a Data Subject.

The WP29 recommends that the Data Controller or Processor should seek the advice of the DPO, on the following issues, amongst others:

• Whether or not to carry out a DPIA.
• What methodology to follow when carrying out a DPIA.
• Whether to carry out the DPIA in-house or whether to outsource it.
• What safeguards (including technical and organizational measures) to apply to mitigate against any risks to the rights and interests of the Data Subjects.
• Whether or not the DPIA has been correctly carried out; and
• Whether its conclusions (whether or not to go ahead with the processing activities and what safeguards to apply) are in compliance with the DPA.

If the Data Controller or Processor disagrees with the advice provided by the DPO, the DPIA documentation should specifically justify in writing why the advice of the DPO has been contradicted.

• Cooperating With The Data Protection Commissioner’s Office (Section 24(7)(e))

The DPA ambiguously states that the DPO shall cooperate with the Data Protection Commissioner’s Office (Commissioners’ Office), or any other authority, ‘on matters relating to data protection’.

According to the WP29, the main form of cooperation between the DPO and the Commissioner’s Office is, for the DPO to be the contact point, on behalf of the Data Controller or Processor, and to facilitate access by the supervisory authority to documentation and information pertaining to processing activities and data.

This cooperation will allow the Commissioner’s Office to fulfil the duties of its Office by exercising the advisory and investigative powers enshrined within the DPA. The appointed DPO shall collaborate with the Commissioner’s Office to assist with, amongst other duties:

• Investigation into data breaches and other offences committed under the DPA.
• Receiving and managing complaints received from Data Subjects; prior.
• Engaging in consultations prior to the processing of data and ensure compliance with laws and guidelines issued by the Commissioner’s Office.

DPOs may have to share information about relevant aspects of the Data Controller or Processor which they would be expected to communicate to the Commissioner’s Office on request including, and not limited to:

• Personal Data processing operations.
• Internal data protection policies and practices, including how the organization meets the DPA’s accountability obligations.
• Risk assessment procedures; and
• Documentation and reports relating to DPIAs performed.

Furthermore, DPOs are intrinsically involved in the process of communicating and notifying the Commissioner’s Office about data breaches, within 72 hours of the discovery of the said breach. The DPO is expected to serve as a proxy between the Data Controller or Processor and the Commissioner’s Office to ensure compliance with the data breach obligations enshrined within the DPA.

So how do you go about appointing a DPO? The minimum considerations for the selection criteria of a DPO are articulated under Section 24(5) of the Act and Article 35(7) of the GDPR respectively and provide that:

“the person has relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection.”

Based on the tasks of a DPO described above, it is highly unlikely a single individual would possess all the knowledge, professional qualifications and abilities required of a DPO role. Therefore, the tasks of a DPO will be performed by a team headed by the DPO, particularly by Data Controller or Processors that engage in large scale and complex data processing activities. Recital 97 of the GDPR stipulates that:

“The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”

If similar reasoning is applied to the Kenyan context, it shall imply that complex, multinational or sectoral specific organizations that process personal data require DPOs that possess appropriate levels of expertise and knowledge to execute their duties with full compliance to applicable laws.

The following skills, professional qualifications and abilities are universally considered necessary for a DPO to discharge of their duties effectively and in an appropriate manner:

• Interpersonal and Communication Skills: The ability to communicate effectively, negotiate successfully, resolve conflicts and build fruitful relationships with internal and external stakeholders.
• Organizational & Privacy Program Management: The complexity, variety and number of the processing operations of a Data Controller or Processor will influence the level of organizational skills required of the DPO. The processing operations will determine how the DPO would develop, implement and oversee the privacy program used by the Data Controller or Processor.
• Leadership Skills: A DPO would be expected to head a multi-faceted team consisting of data protection lawyers, privacy and security professionals and various numerous advisors. The DPO must be able to guide, instruct and oversee the team to ensure effective execution of the DPO’s minimum obligations and the fulfilment of contracted tasks to the Data Controller or Processor.
• Data Privacy Strategy Skills: A DPO should develop data privacy strategies that are compatible with the Data Controller or Processors’ business imperatives, data strategy and organizational culture. Therefore, the strategies developed should not encumber current or proposed future business models while simultaneously being compliant with the DPA.
• Technological Skills: The DPO should have sufficient grasp of the technologies implicated in the processing operations that they oversee and strive to possess competency over the processing activities implemented. However, this does not negate the DPO from relying on experts for advice.
• External Engagement Skills: The DPO should be able to represent the Data Controller or Processor and interact with:
• Data Protection Commissioners Office during consultations and investigations.
• Data Subjects upon invoking their rights under Section 26 DPA; and
• Business partners, media, industry associations, third parties and various stakeholders.

The current legal framework governing DPOs in Kenya remains very much in its infancy, with much room for expansion and recommendations. This is exacerbated by the lack of guidelines and commentary on the role of the DPO under the DPA. This article has adopted a Eurocentric approach to expand on and determine what constitutes an effective and strategic DPO in Kenya. However, over time a more suitable and localized approach may be developed and relied upon. Until then, it would be highly recommended that Data Controllers and Processors adopt and implement the relevant sections of the DPA relating to DPOs and interpret said provisions with due regard to the guidelines and standards established by the GDPR and its supporting legislation and documentation. In conclusion, Data Controllers and Processors should take heed of the following:

• Appointment of DPOs under the DPA is not mandatory but is highly recommended.
• Tasks of the DPO are focused primarily on the protection of Data Subjects’ rights and interests and with due regard to the specific processing activities undertaken by the Data Controller or Processor.
• Selection criteria for a DPO are determined on an individual basis; and
• The duty to ensure data protection compliance is the corporate responsibility of the Data Controller or Processor, and no personal liability remains with the DPO