Technology has so strongly been synced to our everyday lives and as a result, data security is both personal and a corporate consideration. Personal computer and mobile phone users are faced with concerns on the accessibility of their devices and the data contained in the same way that businesses are concerned with customer data. As technology is primarily intended to makes things easier and more efficient, it also comes with the increased concerns, including cyberattacks and cybercrime, with the potential harm that may arise being almost limitless. Consequently, data security seems to be an ever-growing issue in the modern era.
In Kenya, the main legislation relating to this is the Data Protection Act, 2019 No.24 of 2019,
What risks?
On a personal level, the security of our data is ever at risk by virtue of being users of different digital products and platforms. Most, if not all persons, have received notifications of unauthorized attempts to access email and social media accounts. This has led to increased awareness on security measures including the use of encrypted communication as well as setting of password requirements by various sites.
Likewise, commercial users and enterprises are constantly facing the risks of data breaches, hacking and data leaks due to the level of customer data and information they hold. An example of this is the alleged hacking of the National Identification Information Management System (NIIMS), which was being criticized for among other reasons, an inability to ensure that data is secure. Similar incidences have affected other institutions such as banks, amongst others globally.
On a more global scale, major tech players are being accused of automating permissions that allow all manner of data collection, not only from browser history but also from voice recognition aspects in the software, with reports of many having conversations only for the items they mention to appear as advertisements targeted at them.
Data Protection and Security?
In Kenya, the main legislation relating to this is the Data Protection Act, 2019 No.24 of 2019, which imposes various requirements in relation to the protection of one’s personal data. Such obligations are placed on the holder of the data, specifically to ensure that appropriate safeguards are put in place when handling personal data. This Act, with the explicit use of the phrase “security” makes it a key consideration governing data processing and transfer of personal data outside Kenya among other instances and further mentions “encryption” as a means of ensuring data protection and security.
Although the term ‘appropriate safeguards’ has not been defined, it similarly has not, to our knowledge, been subjected to judicial interpretation in Kenyan courts being a new legislation. As such, we may seek guidance from the General Data Protection Guidelines of the EU, from which our data protection legislation was heavily borrowed from and which expressly outlines what amounts to appropriate safeguards that may be provided “without requiring specific authorisation from a supervisory authority” under Article 46 (2).
There are also other personal measures taken to ensure the safeguarding of our data in everyday usage of our devices. To start with, one should at least read through the terms and conditions as well as privacy policy for various platforms before accepting and using their services. This is because some service providers take advantage of the fact that most persons do not take the time to read through them and include provisions that may not be ideal to the user, including terms that allow them to use your data for additional purposes other than to provide their services. Recent research has shown that by blindly consenting to such terms, we may be consenting to giving our data to third parties, and in some instances, accepting serious risks relating to our cyber security.
Given the increasing digitization of businesses, there exists a need for a more proactive approach to data security. Businesses should take early and anticipatory steps towards embedding the principles of data protection and cyber security in their internal infrastructures, as well as within the legal relations with other service providers and consumers.