In addition to their traditional responsibilities, the role of directors in Kenya has evolved to include data protection. As data becomes an increasingly valuable asset for companies, directors are now responsible for ensuring that the personal data of customers, employees, and other stakeholders is being handled in a responsible and compliant manner.
The Data Protection Act 2019, which came into effect in 2019, provides the legal framework for data protection in Kenya. It sets out the responsibilities of data controllers, including companies and their directors, to ensure that personal data is collected, stored, and processed in a manner that is compliant with the law.
Under the Act, directors are responsible for ensuring that the company has a robust data protection policy in place and that the company’s employees, agents and any third parties that process data on behalf of the company are aware of the data protection requirements and their responsibilities. This includes providing training and guidance to employees on data protection best practices and ensuring that all data collection, storage and processing activities are in line with the data protection policy and the Act.
The Act also requires companies to appoint a Data Protection Officer (DPO) who is responsible for overseeing the company’s data protection activities and ensuring compliance with the Act. Directors are also expected to work closely with the DPO and other data protection experts to ensure that the company is meeting its data protection obligations. This includes providing the necessary resources and support to the DPO to enable them to carry out their role effectively, and ensuring that any issues or concerns raised by the DPO are addressed in a timely manner.
Furthermore, the Act requires companies to implement appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, and destruction. Directors are responsible for ensuring that these measures are in place and are being regularly reviewed and updated as necessary. This includes implementing appropriate security measures such as encryption, firewalls, and access controls to protect personal data from unauthorized access or hacking, and regularly reviewing and updating these measures to ensure that they remain effective.
In addition, the Act also requires companies to report data breaches to the regulator, the Communications Authority of Kenya (CA) and to any affected individuals, and directors are responsible for ensuring that the company is complying with this requirement. This includes having a robust data breach response plan in place and ensuring that any data breaches are reported to the regulator and affected individuals as soon as possible, in line with the Act.
In conclusion, the role of directors in Kenya has evolved to include data protection, and directors are now expected to be knowledgeable about data protection laws and regulations and to ensure that the company is complying with them. Directors are responsible for implementing appropriate data protection policies and procedures, working closely with the DPO and other data protection experts, and ensuring that the company is meeting its data protection obligations as set out in the Data Protection Act 2019. This includes implementing appropriate technical and organizational measures to protect personal data, ensuring that data breaches are reported in line with the Act, and ensuring that the company is taking the necessary steps to protect the personal data of its customers, employees and other stakeholders.