The Computer Society of Kenya

Since 1986



The threat and reality of data larceny and exploitation has made data security a matter of major concern to consumers and regulators globally.

The pervasive risk of data larceny and tampering has given rise to a number of data protection measures, both at the systemic and institutional levels. Further, the risk of infringing on a customer’s privacy is growing by the day given the increased frequency and granularity of the data being collected and advances in the technology for processing the same. This has led to the need for laws to secure personal data privacy.

The enactment into law of the Data Protection Act in November 2019 was a watershed moment. Designed to bring the protection of personal data from exploitation in Kenya into the 21st century, the Act presents a significant step forward because it facilitates lawful use of personal data, including research, thus strengthening individuals’ fundamental rights.

The Act would later be operationalised through the appointment, in November 2019, of Kenya’s first data commissioner. The Act governs the use, processing, and archiving of personal data; establishes the Office of the Data Protection Commissioner; makes provision for the regulation of the processing of personal data; stipulates the data producers’ rights and specifies the obligations of the data controllers and processors.

True, this law was expedited amidst increasing concerns raised by consumers over the safety of personal data which is being collected by the Government and vendors.

Even then, the implementation of the Act has not come without challenges, especially for banks and other financial institutions. The new data regulations coincided with drastically changing customer attitudes to data protection, compelling banks to meet stronger-than-ever privacy standards.

For starters, the implementation of the Data Protection Act has brought with it an inevitable change in culture. The Act has brought a significant change in terms of how data relating to data subjects are handled. This has necessitated the training of staff members in different financial organisations on the provisions of the Act as well as educating data subjects on the same including, but not limited to their rights under the Act.

Secondly, while this law is applicable to institutions handling public data, the customers in these institutions generally have varying levels of knowledge. As a result, it may be challenging for customers with limited educational background to understand their rights and the legal requirements of the Data Protection Act.

Some of the rights include the customer’s right to request a bank to erase their data, update their data or share their data with another bank other than the one they are currently banking with.

Thirdly, Section 32 of the Act provides for conditions of consent. Even then, banking institutions should ensure that this consent is “informed” which means that the customer ought to understand data processing activities and their implications on their rights.

However, in rural and low-income communities, the data subjects (consumers) may not understand their rights, where and when they apply. For instance, under Section 40 (b) of the Act, a customer may not be aware of their right to have a banking institution erase all their data and that it would be a contravention of the law to retain such data.

Fourthly, the Act’s stipulation that a customer has the right to request one bank to transfer data to another bank is not practical and hence beats the intention of the law. Also, in business terms, this requirement seems unfair as it would appear to promote “poaching” of customers which many banking institutions may object to.

Further, the new law anticipates that the bank will hire a resource to manage data protection, review of the bank’s policy to align to the Act, rewording of Know Your Customer (KYC) and Terms & Conditions (T&C) documents to incorporate data, among other applicable costs that come with the implementation of this law.

There may also be a need to enhance the current technology design to fit the encrypted type of data as required by the law, which presents a high risk to data subjects’ rights and freedoms.

There is a need for sensitisation of both the banking institutions and the data subjects to ensure that the data held is correct and up to date so as to adhere to the law and avoid penalties stipulated therein.

Other measures that banks can take to deal with these challenges include frequently reminding the customer to update their information; sensitising customers on their rights under the Act; educating the customer on consent and the circumstances under which consent applies and finally, educating the customer about the risk in sharing their data with third parties, according to the Act.

Share this page