Data Protection Officer: Essentials
Blog By
Ms Jane Ombiro, CIPP/E,
Data Protection Expert South-End Tech Limited
Date: 19th March, 2024
A lot of weight has been placed on data governance and as such controllers and processors are increasingly appointing Data Protection Officers (DPO) to effect compliance with applicable data protection laws to which the controllers and processors are subject. In this article we shall discuss who a DPO is, the legal basis for appointing a DPO, the duties of a DPO and the options available to organizations when appointing DPOs.
A Data Protection Officer is a privacy professional tasked with ensuring that an entity is compliant with all data protection and privacy laws that affects the entity’s operations. They typically do this by developing, implementing and maintaining comprehensive privacy programs for the organizations.
In Kenya section 24 of the Data Protection Act, 2019 is the governing law that provides for appointment of a Data Protection Officer. This section is a replica of Article 37 of the EU General Data Protection Regulation. However, where the GDPR mandates controllers and processor to appoint a DPO, the Kenyan DPA takes a softer approach by not placing a mandatory obligation on controllers and processors to appoint a DPO.
Some of the circumstances under which a data handler may appoint a DPO are;
- If the processing activities is carried out by a public body or private body, except for courts acting in their judicial capacity.
- The core activities of the data controller or data processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects.
- The core activities of the data controller or the data processor consist of processing of sensitive categories of personal data.
Section 24 further states that a DPO may be a staff member of the data handler and may fulfil other tasks and duties provided that those tasks and duties do not result in a conflict of interest. A group of entities can also appoint a single DPO provided that the officer is accessible by each entity at any given time. A DPO should have the relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection. Lastly, the section states that the contact details of the DPO must be published on a data handler’s website and communicated to the Data Commissioner.
Some of the Duties of the DPO highlighted in the Data Protection Act, 2019 are
- Advising the data handlers and their employees on data processing requirements provided under the Data Protection Act, 2019 or any other written law such as the Private Security Regulation Act, 2016.
- Ensuring compliance with the Data Protection Act, 2019.
- Facilitating capacity building of staff involved in data processing operations.
- Providing advice on data protection impact assessment; and
- Co-operating with the Data Commissioner and any other authority on matters relating to data protection.
An organizations can either employ an in house DPO or appoint an external DPO such as South end tech limited which offers Data Protection Officer as a service. Deciding on whether to appoint an inhouse DPO or contract an external DPO will typically depend on the organizations budget, objectives, requirements and direction.
Please do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254721864169; +254740196519; +254115867309 or email.