Kenyan companies are on the spot for sharing customer data without consent.
The number of Kenyan companies that breach data laws are certainly not any less than a couple of thousands. We all share data with companies but we never really ask ourselves why they need some of that information and the data they actually need they end up sharing the data without consent.
A survey that was done by consultancy Ernst & Young revealed that 41% of clients data was transferred to third-party service providers. This means that they didn’t feel the need to ask their clients if they could share their data neither inform them of what they would do with this data.
Is there a law against data breaches in Kenya?
You might assume that these laws are non-existent while in fact there are laws that restrict the handling and sharing of personal data firms and government entities obtain. If you were to find out that your information was shared without your consent you would be able to be compensated with KSh 3 million and the accused would risk 10 years in jail and firms would get a fine up to KSh 5 million or once percent of annual turnover.
“The problem is some of the organisations have not started internalising the requirements provided by the Act. So up to now, organisations have been sharing information freely and this is a violation of the Act,”
Which companies have been caught in the act?
Of course, it’s not surprising that the companies found in this mess included top banks, asset managers, insurance companies, telcos, retailers and manufacturing firms. They shared data with third parties which would then help them in advertising by sending SMS alerts. Apparently, some of the information is also shared with law enforcement officers to assist in investigations.
This is why there are times you get unsolicited text messages, emails or product services that you did not sign up for. Although it may seem harmless data breach can put you at risk of having your identity cloned which can lead to bank fraud.
Data is so valuable that it has been described as the “new oil” where personal information is shared for a good amount of money.
Selling this data has become a lucrative but illegal activity despite the fact that there are data protection rules that have been put in place. In an attempt to investigate data infringements the government has appointed Immaculate Kassait as the first Data Protection Commissioner.
The Act was passed in 2019 to support efforts to digitise identity records for citizens after the Huduma Namba registration exercise sparked a controversy. The registration, which the government said would boost its provision of services, suffered a setback when the exercise was challenged in court.