The Kenyan Office of the Data Protection Commissioner (ODPC) has imposed harsher regulation on protecting consumer data, targeting fintechs and startups in the region.
The regulation builds on Kenya’s 2019 Data Protection Act, and will require startups to register with the ODPC when processing personal data. Parties can register as Data Processors or Data Controllers, and must pay a fee for each if they register as both. Data Controllers are defined as those that select and profit from the personal data being used, and Processors manage third-party data.
Financial services entities fall under the entities that are not exempt from mandatory registration regardless of their annual turnover or number of employees. Big tech and fintech startups specifically will be affected by this legislation, as they will be required to reveal the personal data they are processing, the purpose for collecting it, and the target individuals they collect it from.
The law requires that all entities that process data must register with the ODPC and pay fees according to number of employees, turnover/revenue, and whether the firm is a public entity or not.
The regulation is similar to the EU’s GDPR, and firms will be required to request consent from consumers to use their data and inform them of reasons for data collection and storage.
The update underscores the significance of holding companies accountable for data collection and ensuring consumers are protected. To ensure compliance, entities must inform the ODPC of breaches in data within 72 hours otherwise are at risk of facing jail time and fines.
Kenya’s Data Commissioner Immaculate Kassait, commented: “Registration is just one, but very important, element of compliance with the data protection legislation as entities, including individuals, cannot act as Data Controllers or Data Processors in Kenya unless they have registered with the ODPC.”