DATA PROTECTION IMPACT ASSESSMENT IN KENYA
A data protection impact assessment (DPIA) is a risk assessment audit designed to assist an organization in identifying, analyzing and minimizing the privacy risks that come with collecting, processing, using, storing, and sharing of private personal data relating to data subjects.
Under the Kenyan Data Protection Act, 2019, it is a mandatory requirement for all organizations engaged in processing operations that are likely to result in high risk to the rights and freedoms of a data subject, prior the processing, to carry out a data protection impact assessment and submit the same to the Data Protection Commissioner.
In other words, it is mandatory for a data controller or data processor to first consult the Data Commissioner before processing personal data if the data controller or data processor is of the view that the processing would result in a high risk to the rights and freedoms of the data subjects.
The following processing operations are considered to result in high risks to the rights and freedoms of a data subject:
- automated decision making with legal or similar significant effect that includes the use of profiling or algorithmic means or use of sensitive personal data as an element to determine access to services or that results in legal or similarly significant effects.
- use of personal data on a large-scale for a purpose other than that for which the data was initially collected.
- processing biometric or genetic data.
- where there is a change in any aspect of the processing that may result in higher risk to data subjects.
- processing sensitive personal data or data relating to children or vulnerable groups.
- combining, linking or cross-referencing separate datasets where the data sets are combined from different sources and where processing is carried out for different purposes.
- large scale processing of personal data.
- a systematic monitoring of a publicly accessible area on a large scale.
- innovative use or application of new technological or organizational solutions. or
- where the processing prevents a data subject from exercising a right.
In regards to timeline, the Data processor or controller is required to submit the data impact assessment (DPIA) reports within sixty (60) days prior to the processing of personal data and upon submission of the DPIA to the ODPC, the Commissioner will review and revert with guidance on how to proceed. If upon submission of the DPIA to the ODPC, the data controller or processor does not receive any feedback within 60 days, the DPIA is taken to have been approved and the data controller or processor may start the processing thereafter.
In regards to the contents of the DPIA, the ODPC requires a proper and complete DPIA to have the following:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects;
- the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.
At A.O.Wanga Advocates we are available to assist you in preparing your DPIA and engaging the ODPC for all relevant approval and guidance.
Feel free to contact us on info@aowangaadvocates.com or +254794600191
All rights reserved for A.O.WANGA ADVOCATES
www.aowangaadvocates.com