The Computer Society of Kenya

Since 1986


Wednesday June 6, 2018

When the European Union sought to protect consumers, they intensified the use of International Organization for Standardization (ISO) certification.

In the early 1990s, Africa, which exported horticultural products to the EU, was forced to adopt the certification.

Once again, the EU wants to protect her citizens from abuse of data that is passively collected from consumers by digital solutions providers.

The General Data Protection Regulation (GDPR) came into force last week on May 25. The objectives of the regulation are to

“lay down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data; protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data; enable free movement of personal data within the Union without restriction for reasons connected with the protection of natural persons with regard to the processing of personal data.”

The regulation does not restrict processing of individual data as long as the subject has given consent.

It creates the office of controller, who has some leeway to allow use of the data by a third party as long as it does not violate the human rights of the subject.

It also allows processing of data for research “in order to protect the vital interests of the data subject or of another natural person”.


Its implementation will have far-reaching implications on hundreds of companies that have digital data of EU citizens. These include our tourism, transport, financial, agriculture and ICT sectors.

Basically, you need to notify all EU citizens in your records that you hold their data, seek their permission to continue holding such data and ask them to confirm that they are willing to receive your communication through the digital platforms that necessitate your communication.

My own data seems to have been in multiple EU databases some of which I didn’t even know existed. They all have had to write to everybody in their databases to make the notifications. Here is a typical letter from an EU entity holding private data on a natural person:

“You may have heard about the new General Data Protection Regulation ("GDPR") that came into effect May 25, 2018. Our organisation has a presence on the internet in the form of a website, mobile application, SMS and email messaging and as a result collects personal data including your own data. To help comply with this regulation’s consent requirements, we need to confirm that you would like to continue receiving content from us. We hold personal information/data held in our database primarily to maintain vital communication.”

The consequences of failing to comply with the regulations attract penalties of up to four per cent of the holding company’s global revenue.

Imagine that you are a Kenyan hotel with email addresses of EU citizens and send some brochures for upcoming promotions.

If the recipient had not allowed you to send such promotion, you will have some explaining to do as to where you obtained the recipient data.


Remember the Latin legal maxim ignorantia legis neminem excusat ("ignorance of the law excuses not")? Many organisations are going to get into these trap thinking that a previous encounter with someone gives them licence to use their data without express authority from them.

The potential economic impact of these regulations on Africa is enormous. A January 2018 report, General Data Protection Regulation (GDPR) Not Just an EU Concern: The Implications for Africa, by Dalberg Advisors says that there isn’t any African country that is compliant with this regulation and as such Africa’s $14 billion digital economy is at risk.

Chances are that many organisations will begin to create awareness among their employees when penalties begin to hurt entities that fail to comply.

There is no reason we should wait for penalties when we can begin to create awareness now.

This is a matter that African governments should approach carefully and align themselves with the requirements of this regulation.

Urgent regional economic blocs as well as trade associations should be summoned to conferences to simply understand the implications of violating these new regulation. 
This can be followed by a sustained campaign on responsible use of digital solutions that we have come to take for granted.


The EU has set the tone that virtually every other country will emulate in order to put in place effective data protection regulations, especially now when Cambridge Analytica data breaches are fresh in people’s minds.

There are good lessons we can learn from GDPR that can inform our initiatives to develop local data protection legislation.

Since 2009, Kenya has been struggling to develop a data protection law but it has never gone through Parliament.

The Dalberg report says:

“Achieving compliance presents an opportunity for African countries to increase their participation in the global digital economy – an economy that is currently concentrated among a small set of developed economies.”

GDPR sets the benchmark at which many other countries require to exploit data resources without compromising individual liberties.

However, as we digitise, there will be challenges, especially if Africa does not make investments in high-speed data centres to avoid dependence on cloud services from far-flung areas that we are now used to.

Let’s remember that these cloud storage facilities are outside the jurisdiction of our laws.

These investments will demand cross-border collaboration in Africa and come up with a new definition of local data.

Already, the banking industry is pressed for country-level investment in data centres to ensure that local data remains local.


All these coming changes are indications of the emergent fourth industrial revolution that will be largely based on digital transformation.

With it, we need the capacity to cope with the increased demand for data. It doesn’t require a genius to know that the impending changes will require a significant amount of human resources to execute.

It is what we need to create more jobs for a population that has grown out of control. Our future competitiveness depends on how well we utilise data resources to predict some of the future happenings and our capacity to analyse them.

Those nations that make proactive decisions about the future will benefit from the emerging dividends of the fourth industrial revolution.

Slowly, trust is being automated by the emerging technologies, and especially so with blockchain, so that no one will afford to be outside of a club that will mean so much to economic development.

We have no choice but to meaningfully play this global game knowing that our human rights are protected.

In so doing, we cannot jut rely on GDPR, as its jurisdiction is within the EU. We need our own regulation that protects us while recognising the importance of data.

Emerging countries therefore must quickly embark on developing a similar regulation and the capacity to enforce it.

Share this page