Ensuring information was managed and looked after was imperative now that General Data Protection Regulation, known as GDPR, was in place in Europe (from May 25). Despite this, there were businesses in Africa that did not grasp the sweep of the new legislation, Kariuki said.
GDPR is new law that demands businesses and governments in Europe, and those doing business with Europe, ensure the data they hold is catalogued and safely ring-fenced. It protects the individual’s “right to be forgotten” making consent mandatory for personal information to be kept or shared. Non-compliance in Europe, including doing business with non-compliers, carries penalties of up to €20 million (US$23.24m). For African business it may mean being cut out of the European common market.
“Many companies think GDPR doesn’t affect Africa – that it is a European thing. On the contrary, it will affect most business entities and it will hit home when you want to transact with Europeans and European entities which will require your business to be compliant,” says Kariuki.
While most ordinary people in Africa did not appreciate the regulations, she said, they were increasingly aware that personal data could be used to profile them and that this information carried value. A Data Protection Bill was tabled in the Kenyan parliament in 2013, but was withdrawn shortly thereafter. Nevertheless there have been recent discussions in parliament about the impact of GDPR and how Kenya could adopt it as a matter of best practice.
“With GDPR now front of mind globally, it is imperative that African lawmakers familiarize themselves with the European legislation and assess its impact,” Kariuki said. “It is an international Best Practice and it is in the interests of a nation for its government and the private sector to work towards compliance.”
She warned though that data privacy compliance for businesses was an expensive undertaking.
“First and foremost it involves carrying out an audit of the information a business or government department holds and then taking steps to protect it - which takes manpower and technology. So, the biggest factor is resources since it involves all departments in a business. This may explain why there has been peripheral effort towards compliance in Africa but now, with GDPR upon us, many East African companies are developing a 1 to 5 year compliance strategy.”
Kariuki said compliance would, mostly, be spearheaded by government and the aviation, banking and fintech sectors which handled high volumes of personal data. .
“The disruption of the traditional delivery of telecommunication and banking in Kenya by fintech innovations means these sectors have changed a lot over the years. For example products such as the mobile payments service M-pesa (M for mobile, Pesa for money in Kiswahili) has revolutionized monetary transactions making them easily accessible to a majority of the Kenyan citizens. As a consequence, many Kenyans now rely heavily on their mobile phones to transact both locally and internationally. The M-pesa platform has since incorporated other financial services including micro-lending and accounts payments. By virtue of this, the companies providing these platforms are holding enormous volumes of personal data and have to consider GDPR compliance.”
The legal practitioners’ role now was to support businesses on this journey by issuing advisories on compliance, data governance and management.
“Our law firm acts for one of the largest fintech companies in Kenya and, as such, we find ourselves at the center of GDPR compliance. So, to engage with ‘thought’ leaders on this issue, I attended a conference in South Africa earlier this year where the intricacies of financial technology was a major issue of discussion. Being a technology lawyer in Kenya, which is considered an innovation hub, I appreciated how a well-informed lawyer could play a leadership role in such emerging issues. As lawyers we need to fully understand GDPR and be proactive in guiding clients to be compliant. It will be very costly for business entities to hit up against this regulation and end up losing out on major transactions due to non-compliance.”
Kariuki has some pointers on basic questions that lawyers need to ask when advising clients:
- Does GDPR impact on your business?
- What are the local laws on data protection?
- What are the local regulator guidelines on data protection?
- What steps does the business need to take to be compliant?
“As legal practitioners, our scope of services is wide and includes collaborating with clients to carry out company-wide GDPR awareness and training, drafting policies and contracts and general advisory.
“Even, where GDPR does not affect a business entity, good data management and governance practice gives businesses and edge and mitigates potential legal and reputational risks.”
For Kariuki the move towards large scale data protection is a natural progression following the dramatic growth of fintech and online global communication over the last three decades.
What interests her is seeing how Africans, especially those living in rural communities, are “leapfrogging” into the technological age once infrastructure is in place.
“Even grandmothers in small villages can be connected. That is why it is so important for providers to ensure the individual’s privacy and online security is protected. We haven’t had a precedent setting dispute on data privacy and sharing of data – yet – but it is time to engage with data protection and privacy legislation to ensure that there are structures in place if and when a dispute occurs.”
On a personal level, home for Kariuki is Nairobi where she grew up and her family’s roots are in Nyeri in the Central Highlands. An interesting fact is that Nyeri is the birthplace of the Boy Scout movement and is where its founder, Lord Robert Baden-Powell, is buried. The Boy Scout motto of “Be Prepared” holds a deep relevance for GDPR - simple but sound advice for to follow!
Re-publication of this article is authorised only in the following circumstances; the writer and Africa Legal are both recognised as the author and the website address www.africa-legal.com and original article link is included. A bio can be provided on request.
Re-publication without reference to Africa Legal is not authorised.