Kenya: Data Protection Compliance Self-Assessment – why your organisation needs it

published on 24 June 2024 | reading time approx. 2 minutes

The Data Protection Act, 2019 (“DPA") mandates a data controller or a data processor under section 31 to undertake a Data Protection Impact Assessment (“DPIA") prior to processing any personal data that, due to its nature, extent, context, and purpose is likely to result in a high risk to the rights and freedoms of a data subject. To this end, the Office of the Data Protection Commissioner issued a Guidance Note on DPIA that is aimed at informing the data processor or data controller on how to undertake the process including the identification of risks arising out of the processing of personal data and to minimize the identified risks.

The framework of assessment used during a DPIA, although recommended for processing that is high risk to the rights of data subjects, can be adopted by data controllers and data processors for purposes of undertaking a general data protection compliance self-assessment in various instances including prior to submitting the registration particulars and generally evaluating the compliance status of an organisation with the DPA.

A Data Protection Compliance Self-Assessment involves conducting an internal analysis to establish the organisation’s data processing activities, establish whether there is a data governance system in place, whether the persons handling the data understand the system and adhere to it, and measures in place to mitigate the various data processing risks. It is a form of a self-assessment mechanism which allows the organisation to understand its personal data processing environment by examining the personal data it handles, the potential risks and safeguards it should put in place to mitigate the risks.

A Data Protection Compliance Self-Assessment will typically involve the following:

Examination of data processing activities and the data governance system: Data processing activities include among others, the way an organisation collects, records, organizes, stores, alters, retrieves, uses, discloses, restricts, erases, or destructs personal data and guiding policies in place. This examination may be carried out through interview sessions that enable collation of data from persons in an organisation who handle the personal data.

Identification of risks: Having identified the type and categories of personal data processed, and reasons for the processing, a further examination of risks associated with the type of personal data processed is carried out. This examination leads to the identification of the potential risks such as loss of personal data, unauthorised access, cyber security risks, knowledge gap of the applicable data protection principles by persons handling the data. Thereafter, this informs the development of technical and organizational measures to mitigate those risks if not already in place.

Report and Action Plan: The final step is the consolidation of a report that outlines noncompliance gaps and gives various remedial recommendations to entrench the organisation’s obligations and compliance requirements under the DPA. This report allows the organisation to appreciate the gaps that may be existing in its data processing environment and enables it to put measures in place to ensure compliance.

At this stage, an action plan detailing the gradual steps that will be taken to resolve the various identified risks, gaps, and issues is also developed. The action plan will contain implementation dates and include dates for a further assessment to check the progress the organisation has made towards data protection compliance under the DPA.

An effective Data Protection Compliance Self-Assessment has the following benefits:

Facilitates collation of particulars required during the registration as a data controller and / or data processor as provided under section 18 and section 19 of the DPA. Particulars such as description of the personal data processed, purpose of processing, category of data subjects, risks, and safeguards, etc. identified during the Data Protection Compliance Self-Assessment are utilised.
Enables an examination of the data protection compliance status of the organisation with the essential principles laid out in section 25 of the DPA which must be considered when handling personal data. The essential principles provide for processing of personal data taking into account privacy, purpose limitation, lawfulness, accuracy, storage limitation, and transfer outside Kenya based on adequate safeguards or consent. This allows for the adoption of the appropriate technical measures required by the organisation for implementation of data protection principles and integration of the necessary safeguards in its data processing activities.
Informs the designation of a Data Protection Officer whose role is to advise the organisation on compliance matters under the DPA thereby taking leadership in data protection matters. This allows for the implementation of data protection by design under section 41 of the DPA.

In conclusion, a Data Protection Compliance Self-Assessment is a pertinent tool for self-regulation by a data controller or data processor. This therefore presents an opportunity for the organisations to invest in the relevant capacity aimed at maintaining an effective data protection compliance system.