By Anne Maina, Project Assistant – NIERA

Last month, United States International University – Africa’s Division of Legal Services, in partnership with Gikera & Vadgama Advocates and Galande Consultants, hosted an engaging webinar on “Data Protection & Privacy (Risk Imperatives)”. The webinar was part of the University’s larger efforts in ensuring that the campus community and our partners are apprised of topical legal and governance issues.

Moderated by USIU-Africa’s Director of Legal Services Hellen Ombima, the webinar kicked off with an introduction on the key elements of data protection and privacy and its significance both in the institutional context and personal context.

Kananu Mutea, Partner & Head of Dispute Resolution at Gikera & Vadgama Advocates expounded on the Data Protection Act framework enacted by the Kenyan government in 2019 highlighting its implications on how businesses handle personal data. She further discussed the key principles of data protection as laid out in the Act noting “the legislation plays a key role in ensuring accountability from institutions on how they ethically treat consumers’ personal data to inform their operations”.

Building on the conversation, Felix M. Mung’ara an Associate at Gikera & Vadgama Advocates, distinguished data protection and data privacy noting that the two are intertwined at any given context. He further emphasized on the need for businesses to obtain consent from data subjects prior to utilizing personal data to inform their operations. Failure to this, businesses are at risk of breaching the Data Protection Act, which imposes legal consequences and ultimately affects their operations.

Reacting to participants’ questions on matters pertaining to the responsibilities of data subjects, data processors and institutions in ensuring data protection and data privacy, the speakers explained the respective responsibilities as laid out in the Data Protection Act, noting that each party has an obligation in enhancing data protection and privacy whilst emphasizing the need for informed consent.

In addition, George Alande, Managing Partner at Galande Consultants discussed the risk imperatives in case of breach of the Data Protection Act noting the key role played by the insurance industry in providing mitigation measures in case of data breach and the turbulent time thereafter. Some of the measures include but are not limited to cyber-crime policy and conducting forensic investigations.

The insurance cover protects organizations from loss, liability and or damage against major internet-based risks related to information technology infrastructure such as cyber-attacks, Data breach or Distributed Denial of Service (DDOS) attacks that brings down networks, malware infections that spread through devices, cyber ransom losses, extortion demands made by hackers holding sensitive information they are threatening to expose to the public and or to destroy the data they are holding. Reputation protection costs (PR costs, loss and increased cost of working due to reputation damage), business email compromise resulting in sharing sensitive information and media liability associated with infringement and other content that is electronically disseminated are also covered under that policy.

Mr. Alande also pointed out that the cover does not extend to privacy liability which is considered a breach of professional duty and is adequately covered under Professional Indemnity Insurance. Further, infrastructure failure, intellectual property infringement (whether alleged and or actual), hacking by director or partner in the organization, outdated systems and or software that are not supported by the developer and dishonest and criminal acts are also not covered by said policy.

One theme that cut across the conversation was the need for data subjects to retool themselves with sufficient information pertaining to their rights and responsibilities to ensure data protection and privacy particularly in the business environment. Further, data processors and controllers have an obligation to utilize personal data obtained for legitimate purposes. This is laid out in the Data Protection Act as well as in the Constitution of Kenya.

For more of these insightful sessions, please check out the events page.

Watch the recorded webinar via YouTube here: