The lack of compliance by SACCOs, NGOs, research organizations, and small and medium-sized businesses (SMEs) with data privacy laws creates a vulnerability for the theft of customer and employee personal information and its transfer to outside parties.
These organizations have been slow to implement technology that prevents data theft or destruction, train staff members in compliance with the new data protection laws, and appoint data protection officers, according to the Ernst and Young consultancy firm’s 2022 Data Protection and Privacy Survey report.
Additionally, they have taken their time to apply for registration with the Office of the Data Protection Commissioner as data controllers or processors (ODPC).
The report discovered that banks, insurers, telcos, and healthcare organizations were leading in terms of adherence to data privacy laws and registration, which has resulted in a decrease in intentional breaches of personal information.
The study comes after a related report that was published the previous year and revealed that more than a fifth of Kenyan businesses shared customer financial and personal information without authorization.
According to Robert Nyamu, partner at Ernst & Young for digital, analytics, and cybersecurity solutions, “certain industries are aware (of their obligations), and we want those lagging, like saccos, NGOs, and others to catch up with the banks so that we do not have either intended or unintended selling of data or transfer of data.
Large corporations, like banks, have significant financial clout, which has helped them comply with the Act’s requirements, even though some of them have operations abroad. This is especially true if they need to transfer personal data to another nation.
The regulator plans to require registration and compliance with data privacy laws in order for businesses to operate and receive licenses.