By Njoki Kimemia, Legal & Data Protection Associate, South-End Tech Ltd

Date: April 17, 2023

In the wake of the internet, data protection, and privacy, people have created awareness of their rights. On April 11,  2023, The Office of Data Protection Commission (ODPC) issued a penalty notice against Whitepath company limited for failing to comply with an enforcement notice.

A deeper analysis of the case will also reveal that their privacy notice does not conform to the principles of Data protection.

Recently, South-End Tech Limited held a webinar on how to draft a privacy policy and why it is important for E-Commerce businesses to have one. So what is a Privacy Policy? A Privacy Policy is a document that contains a complete public statement about how your organization deals with personal data.

A privacy policy aims to show anyone who visits your online platform, that the information they share / or is gathered from the users is protected by the company. This is because, the personal information of your users, including names, birthdays, addresses (including postal codes), phone numbers, and email addresses, is your responsibility as the owner of the website. Furthermore, websites can track non-descriptive information such as geolocation, shopping history, medical and educational background, and email and text message content.

Contents of a Privacy Policy

The Data Protection Act Kenya does not explicitly provide for the contents of a Privacy Policy, however, section 29 provides the duty of a Data Controller or Duty processor to notify the Data Subject of: –

1. The type of data being processed, the purpose of processing,
2. whether there is sharing of data to third parties,
3. the rights of the Data subject,
4. the technical and organizational safeguards put in place,
5. that the policy can be subject to amendments,
6. contact person of the grievance officer who will be the contact person in case of queries.

(Kindly note that this is not an exhaustive list as every policy is meant to be tailored for every organization.)

Key points in drafting

1. The privacy policy ought to be drafted in plain language. There is no need for legal jargon or complex language.
2. It should bear the principle of transparency. Data subjects need to know how their rights are protected, and whether the website collects data through cookies, etc. This in turn enhances your brand image and helps build customer trust.
3. The policy should give the website users the power of choice of opt-in or out. This allows the website users to freely consent to or reject the policy.
4. The policy should be accurate and reflect the actual practice of your website and not one that has been copied and pasted from another website. The risk in copying and pasting involves legal action if the policy is plagiarized, the act could also constitute copyright infringement. 

Your policy at the end of drafting should answer these questions

1. What kind of data are you collecting?
2. Why are you collecting this data?
3. How are you collecting?
4. How are you using this data?

If your privacy policy does not take into account all of these considerations, you risk paying substantial fines and losing the trust of your clientele. In 2021, WhatsApp was fined €225m (£193m) by Ireland’s data watchdog for breaching privacy regulations. The fine was related to an investigation which began in 2018, about whether WhatsApp had been transparent enough about how it handles information. The issues involved were highly technical, including whether WhatsApp supplied enough information to users about how their data was processed and if its privacy policies were clear enough.

Reach out to our team at South-End Tech Limited if you need any assistance in developing a privacy policy and notice for your business.