“A Case Study of Huduma Number and the World Coin Craze in Kenya”

By Njoki Kimemia,Legal and Data Protection, South-End Tech Limited

On Friday, August 11, 2023, South End Tech Limited successfully held our monthly public awareness webinar on Data Protection Impact Assessment (DPIA): -The When and How.  “A Case Study of Huduma Number and the World Coin Craze in Kenya”

The Speakers at the webinar were Mr. Meshack K. Masibo, Team Leader at MasiboLaw, Global Tech-Law Expert, and Speaker on Data Protection, Artificial Intelligence, and Industry 4.0 and Ms. Winnie Ngige, Data Privacy Specialist and Certified Information Privacy Manager (CIPM).

These are some of our takeaways.

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a systematic process designed to identify, assess, and mitigate potential risks associated with processing personal data. Its primary aim is to ensure that privacy risks are evaluated and managed proactively before any processing activity commences.

Why Conduct a DPIA?

1. Risk Management: DPIAs act as a preventive measure, allowing organizations to identify and mitigate privacy and data protection risks early on.
2. Compliance: the Kenya Data Protection Act requires DPIAs for processing activities likely to result in high risks to individuals’ rights and freedoms. This was largely argued in the Huduma number case.
3. Enhancing Transparency: Conducting a DPIA demonstrates your commitment to data protection, fostering trust among data subjects and stakeholders.
4. Ethical Responsibility: In an era where data misuse incidents are prevalent, organizations have an ethical duty to ensure that data processing respects individuals’ rights and dignity. Today, this is relevant in the World Coin case where a DPIA ought to have been conducted.

How to Conduct a DPIA

1. Identification of Processing Activities: Begin by identifying the processing activities involving personal data. This includes data collection, storage, sharing, and any other associated processes.
2. Assessment of Necessity and Proportionality: Determine if the processing activity is necessary for its intended purpose and if the data collected is proportionate to that purpose.
3. Risk Assessment: Evaluate the potential risks to individuals’ rights and freedoms. Consider aspects like data security, potential harm, data subject vulnerabilities, and the nature of the data being processed.
4. Risk Mitigation: Develop measures to address identified risks. This could involve technical and organizational safeguards, pseudonymization, encryption, or other suitable methods.
5. Consultation: Engage relevant stakeholders, including data subjects and regulatory authorities, when necessary, to gather insights and address concerns.
6. Documentation: Maintain comprehensive records of the DPIA process, including its outcomes, decisions made, and steps taken to mitigate risks.

When to Conduct a DPIA

A DPIA is mandatory when processing activities are likely to result in high risks, such as:

1. Systematic Monitoring: When processing involves systematic and extensive monitoring of individuals, like employee surveillance.
2. Large-scale Processing: Processing a significant volume of personal data, especially sensitive categories like health or biometric data.
3. Automated Decision-Making: Where decisions significantly impact individuals, such as automated credit scoring.
4. Data Matching or Combining: Combining datasets from various sources to profile individuals or make decisions about them.

Who should conduct a DPIA?

In Kenya, organizations that are involved in processing personal data are responsible for conducting a Data Protection Impact Assessment (DPIA) for certain data processing activities. The responsibility lies with the data controller, which is the organization or person who determines the purposes and means of processing personal data.

The data controller should conduct the DPIA to assess the potential risks and impacts of processing personal data, as well as identify and implement measures to mitigate those risks. The data controller needs to ensure compliance with data protection laws and protect the rights of individuals.

It is worth noting that the DPIA should be conducted by individuals or teams with the required knowledge and expertise in data protection and privacy. This includes understanding the legal and regulatory framework surrounding Kenya’s data protection and having the technical skills to assess the risks and identify appropriate mitigation measures.

At South-End Technologies Limited, we understand the importance of conducting DPIAs to identify and mitigate potential privacy and data protection risks. Our team of skilled and experienced professionals is well-versed in the legal and regulatory frameworks surrounding data protection, ensuring that your organization meets all necessary compliance requirements.

By partnering with South-End Technologies Limited for your DPIA needs, you demonstrate your commitment to privacy and data protection, building trust with your customers and stakeholders. Our services go beyond compliance; we help you create a strong data protection foundation that prioritizes the rights of individuals and instills confidence in your data handling practices.

Overall, the responsibility for conducting a DPIA lies with the data controller, who should have the necessary expertise or seek external assistance to undertake a comprehensive assessment.

Which Necessities Are Covered by a DPIA?

A DPIA is necessary for:

1. New Projects: Any new project involving personal data processing.
2. Significant Changes: Modifications to existing processes or systems that affect data privacy.
3. Profiling and Automated Processing: If your activities involve profiling or automated decision-making affecting individuals.
4. Third-party Processing: When you rely on third-party processors to handle personal data.
5. Sensitive Data: Processing special categories of data like health or criminal records.

In conclusion, DPIAs are an indispensable aspect of ensuring data protection compliance in Kenya. By conducting thorough DPIAs, organizations can uphold individual rights, manage risks effectively, and maintain a reputation built on trust. As data privacy concerns continue to grow, embracing DPIAs as a standard practice will not only help organizations meet legal requirements but also contribute to a safer and more ethical digital environment for all.

In Kenya, organizations that are involved in processing personal data are responsible for conducting a Data Protection Impact Assessment (DPIA) for certain data processing activities. The responsibility lies with the data controller, which is the organization or person who determines the purposes and means of processing personal data.

The data controller should conduct the DPIA to assess the potential risks and impacts of processing personal data, as well as identify and implement measures to mitigate those risks. The data controller needs to ensure compliance with data protection laws and protect the rights of individuals.

It is worth noting that the DPIA should be conducted by individuals or teams with the required knowledge and expertise in data protection and privacy. This includes understanding the legal and regulatory framework surrounding Kenya’s data protection and having the technical skills to assess the risks and identify appropriate mitigation measures.

Overall, the responsibility for conducting a DPIA lies with the data controller, who should have the necessary expertise or seek external assistance to undertake a comprehensive assessment.

Please do not hesitate to contact us for your Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254115867309; or by email: info@southendtech.co.ke or nkimemia@southendtech.co.ke