Given data privacy cuts across every industry and every sector of the economy, it’s important nowadays for organisations of all kinds to put in place specific data protection policies, says Corporate and Commercial law expert Herbert Njoroge of leading Kenyan firm Ashitiva Advocates LLP.

“Everyone is handling data now,” says Njoroge, “whether it’s a security guard taking photos of everyone coming in, an automated security system in an organisational set-up or a standard office, and even us as law firms. Data privacy actually cuts across every industry, not just tech or tech related businesses.” 

Kenya adopted specific legislation to protect personal data in November 2019. Njoroge says the Data Protection Act No. 24 of 2019 is a simplified, localised version of the European Union’s General Data Protection Regulation (GDPR), and Ashitiva Advocates LLP are go-to experts in this new, vital space. 

“It’s important for different players to be able to interpret this law and apply it accordingly,” says Njoroge. “For public awareness, for business clients, for not-for-profit organisations, everyone is captured under this law. It’s important to uphold the right to privacy and protect it as it’s laid out in the law. So, it’s an interesting new era, and for Kenya, having this new Act is really a step forward.”

Njoroge and his colleagues have been working to help improve public and business awareness of the intersection between technology and upholding the right to privacy. 

“For many organisations, and the public generally, data privacy and protection are fairly new concepts,” says Njoroge. “People rarely question when giving away their personal information, they fill out forms every day, both online or manually. It’s not unusual.”

Under the Act, organisations operating in Kenya now have to “be very intentional” about how they handle personal data, and must endeavour to protect and uphold individuals’ rights to privacy, notes Njoroge. “It has to be inculcated in our culture, in our practices and in our organisational structures.”

Multinational organisations operating in Kenya also need to be aware that anyone transferring personal data outside the country first has to seek approval from the new regulator, the Office of the Data Protection Commissioner, which is responsible for examining the adequacy of security measures in place during the transfer of personal data outside Kenya. 

A current challenge, says Njoroge, is that the new regulator has yet to release guidelines on what safeguards and security measures are deemed adequate, or what proof is required to show such adequacy. But this is a vital area that all businesses, not just online or technology businesses, need to consider.

Ashitiva Advocates LLP has been upskilling all its lawyers, regardless of their main practice area, and building capacity internally as well as advising and assisting a broad range of local and international clients with data privacy and protection matters.

“Practitioners need to be encouraged too,” says Njoroge, who notes Ashitiva Advocates LLP has revamped its client engagement letters to include robust data protection clauses. They’re also helping clients to adopt policies for handling data. Most commercial agreements they are preparing now also specify data protection provisions.  

“As lawyers, we are also putting in effort to obtain the relevant qualifications and join international networks of data privacy professionals so that we create a pool of people with whom we can bounce off thoughts and hold discussions about the specific data privacy challenges our countries are facing. All our efforts are geared towards ensuring this new law is implemented successfully, and for us to be useful in advising our clients on protecting personal data.” 

For more great content join Africa Legal's mailing list - click here