The Data Protection Act (DPA) is a Kenyan law that was passed in 2019 and came into effect in July 2022. It sets out new rules for how companies can store and process personal data about Kenyan residents. The DPA also imposes new obligations on how websites should handle the personal data of their visitors. Personal information that has been collected from an individual includes name, identification number, and contact information such as email address and phone number. The regulation requires companies to be transparent about how they collect, use and share personal data. It also gives individuals more power over their information including the right to ask for it to be deleted or corrected, as well as other rights such as being forgotten online or objecting to automated decision-making, including profiling which could have an impact on them. So as a website owner, you need to make sure that your website complies with the DPA by meeting certain requirements. For example, only the cookies that are strictly necessary for the operation of your website may be automatically activated by your website without first obtaining the consent of site visitors. Otherwise, DPA requires you to have a cookie consent pop-up before allowing users to continue browsing your website. It also requires you to provide essential information about how you collect and use personal customer data – such as the ability for them to access, correct, or delete personal data; as well as the option for them to manage their privacy rights at any time.
DPA compliance can be complicated, but it’s essential in this digital age to maintain the trust of your consumers. A website owner can ensure their site is compliant with the DPA by implementing the measures discussed below.
Update Privacy Policies
Give visitors the ability to manage cookies
Allow visitors to exercise privacy rights
Websites need to give visitors the ability to access, correct, or delete any personal information collected by a website. Additionally, the user also has the power to enforce restrictions on how the personal data gets processed and to object to the way their data is being currently used. Additionally, the visitor can also object to their personal information getting used in an automated way, without any human involvement. The visitor also has a right to request their data from the website, so that they can use it elsewhere. The website must provide visitors with an explicit process detailing the process to request their data, and how it will get provided upon request.
The next important step in complying with the DPA is ensuring that your organization and all of its affiliates are in compliance with the new requirement. Without full compliance, your organization and its affiliates could be subject to fines of up to KES 5 Million for infringements, as well as criminal sanctions. There is no excuse for non-compliance. It’s up to you to protect your customer’s data – and make sure they can access, correct, or delete it at any time they want. We, however, recognize that protecting customer data is a global burden, and nearly impossible for small businesses to manage on their own. We can help! We want to make sure you’re DPA compliant. For more information on how you can be DPA compliant, please contact us today at firstname.lastname@example.org.