 back down like we would not leave at all. Yeah this is still one in the morning and this is the first conversation of the day if you just drink and so you're still on time. This is sport on tech where we talk about technology innovation and any issues around that area of policy and you know matters that concern us and today we want to talk about data protection and privacy compliance in Kenya. So when you talk about data protection it's about your personal data. How is it being used out there and why do you need to be concerned about how your data is being used? So this is a conversation that we are going to have with Linda. She is a professional working. Linda Gishohe is a professional lawyer and that's her protection specialist at Kektonets. Thank you so much. Let's have you with us. Thank you for having me. Okay so let's start this conversation with what do we mean? Why do we need to talk about data protection and privacy compliance? Thank you so much. In terms of data protection you can see that this is currently the trend actually at the moment. We know that the future is digital so it is very important for you to know where your data is going, what your data is being used for because we've seen trends in terms of even you find you get unsolicited messages you find trends where your data when your data is taken your phone can be hacked you can even lose some money people can get into your account when your data is also taken we also find there's some fishing skins that are there currently where you receive maybe phone calls people saying they're banks so that they can get some data out of you so it's very important for you to protect your data so that you cannot eventually have losses. So now I'm trying to get the difference between data security because this is around data security and cyber security is that difference now is it can they be used interchangeably? Well I would say cyber security is more broad because it talks about everything in the cyber space but when you talk about data you talk about information your personal information is your personal information secure enough so when you talk about data security is the same as talking about let's say digital security and from there is when you talk about data protection how do you protect your personal data how do you protect your personal information so we find that there are various aspects in which you even when you get into a building you give out your data data is something that can be used it's currently it's actually currently that can be used as a whip on yeah. How so? So you'd find that for example let's say you have someone hacks into your phone you have certain sensitive information that could eventually jeopardize we have sensitive information that is that includes let's say health we have biometrics this personal data that is very sensitive such that it can it can cause severe damage when it is abused or when it is used incorrectly okay even your bank details yes yes for sure there are certain data that is sensitive and there's others that is not so when you talk about names your name your email that is not necessarily sensitive but when you talk about your health let's say if someone leaks that maybe you have a certain kind of disease and all that that can also jeopardize in terms of your workplace even in terms of insurance so those are the data that is considered as sensitive all right yes so when we talk about you put the data protection do we have laws that let's govern that for people that don't know yes yes in Kenya for example we have the data protection act 2019 which also mandates the office of the data protection the office of the data protection commissioner which oversees all issues around data protection and also in to investigate they have certain roles and responsibilities and a regionally we have the Malabo convention it's an AU con AU regional convention and data protection so this is talks about everything about data protection and also it's for for now we have about 35 countries which have ratified the Malabo convention in Africa yeah all right so we have laws that that govern this yeah so when your data is misused that the places you can go and report this talking about the data protection act 2019 we know that there's a new legislation to it so tell us about it what's what's in this new legislation that that was not captured in the act so I wouldn't say it's a new legislation per se but the office of the data protection are releases are a certain regulations not it's not exactly an act but they are regulations so we also have guidance notes so some of the regulations include on consent it's talks about also registration of data protection controllers and data processors it also talks about data protection impact assessment which I can talk they'll be on it later on okay yes so we'll get to to all that the content beaten and whatnot but as a person is an ordinary citizen who's watching why do they need okay to to be mindful about how that data is used giving content to you know the data controllers and whatnot and so the data controllers are as we go on so why do they need to to care about how you know the data is used so as I said before or first of all I would say you as a person you're known as a data subject so you're the one who's you who to whom your data is being used so we have the data protector pro controllers and that are protect processors so as a person you can talk about maybe let's say when you go somewhere and someone asks for you your data maybe even your location maybe when you fill in your email your for yeah exactly so when they take all this data do you do you wonder what do they use for that data exactly so they are they're also there are certain instances where people even sell your data so that they can be used for various purposes and right now when you are going to the edge of even AI you'd find that they're other issues that can come about with it even you can be persecuted for a crime that is not yours just because of your data being leaked okay so they can use my data maliciously yes for crime yeah okay yeah so me going to let's say a building and then ask for my details is it okay for me now to give my details or do I need to know what whether using my details for yes so first of all I would like to highlight that recently there was a statement that was issued in terms of security guards being mandated to take your ID also certain information and retain your ID there so this is this are this it's important for you as a data subject or as a person to be able to ask the right questions so when someone is asking you for your data it's your right to say what are you going to use this data for is is this mandatory and it's it shouldn't be because for someone to collect your data you need to consent to it so when it comes to certain issues if it was not recently that the statement was issued that it is mandatory for that so you find that it's also a conversation in the privacy and data protection space whether this will jeopardize your right privacy the right to have your data protected and where where is that data safe because you'll find that even security guards holds a lot of information what happens when that that's book is leaked that is that's why you you find that you sometimes you receive very unsolicited messages and your you want to get my number yeah that's exactly where they get your number some they get some of it maybe it's through your digital footprints your website the the amount of information that you put out there for some of them it they get from certain aspects where you you go to an event you write your name you write your email yeah then okay then that's how you they get your information but it's okay for you to actually ask what exactly is my data and give content for it or you cannot just refuse to give it yes okay yes all right so when we talk about the data processors we now we know that these are the people who actually process takedown and then the controllers who are the data controllers so we have the data controllers and the processors so a data controller is the one that determines for what purpose that your data is being collected for and determines what is it's going to be used for so and the data processor is the one that takes the instructions from the data controller and processes that data so for example when it comes to let's say it's just a company and they need certain data from their clients so they say you should take maybe the email the water that person is a data controller but the one who actually processes that data and takes those emails and all that is known as the data processor yes okay so companies we can we can categorize companies as the data controllers exactly what information yes those people that actually doing it and the processes yes and you are the data subject yes that's clear enough so now for people that have businesses you know we have young entrepreneurs who are watching and they are not very knowledgeable about about these things you know so why is it important for them as business owners as entrepreneurs to know that they need to protect their customers data if they're taking it and they need to get content from their customers so first of all I would like to say that it's in the law as you know most people say that ignorance is no defense but at the same time we acknowledge that there is need for more awareness and advocacy in terms of data protection because as you can see our act is 2019 2019 is pretty recent so there is still an awareness campaign that is going on in terms of data protection and data processing so according to the Office of the Data Protection they mandate various businesses organizations and all that to be to register with the Office of the Data Protection Commissioner why this is because you'll hear certain cases where there are certain cases where people have gone to court and say that my data was used for this purpose and I did not consent to it so you find that those are scenarios that you as a business person you you can prevent yourself from when you comply with some of these data protection laws that are there so for example there was a case there was a case on Wajirah I don't know if you've heard about it Wajirah versus Machako's University so her data her photo was posted in their website so what she for exactly so she went to court and the judgment was rendered that there was no consent there was the issue of intellectual property because the data was also used for commercial purposes for advertising yeah and also she was given damages so you as a business person you prevent such issues and also you protect yourself from certain legal repercussions I love that you've mentioned that because people might assume it's just the information that you take in but it's also the you know the photos because we have content creators out here and you might just be on the street and you take a video of people you know but they have not consented to it so that you might also face legal charges for that yes yes yes exactly so I think you also saw in I think there was a recent case where someone was took a video in a public space and they were not allowed to do that I think you know I'm talking about so it was an airport space so there are certain areas where you're not supposed to take photos and also when you take photos in any place you should consent at least consent to it so ask someone I should I should I do this you know you don't want to end up facing certain repercussions and all that yeah okay but is that not too too dire if you can put like that because if you know public space this is a content creator and maybe you know you are focusing on a certain thing but someone just passes by you know you that they were not the main the main focus but they just happened to be part of that video so in that instance do you have you know a case you know always are you still liable oh what I can say is that it depends on will that video show their face and will that person complain it shows their face and they complain then yes exactly so it's it's generally just talks about that someone's data someone's personal information you have the right to privacy that is according to the constitution that's also one of the laws that is considered in terms of data protection and privacy so when you talk about the right to privacy you're limiting someone else's right to privacy because I for example you you have the right not to be such your your place not to be searched you as a person you have the right not to have certain information revealed about you in in the public space when you've not consented so while you do that maybe you you infringing someone else's rights yeah so your rights will end where someone else's rights that's begin I love that you're right to privacy ends where someone else is right to privacy begin yes I love that that's very clear so now when we talk about the data protection impact assessments so how is that done for a small business owner do you need to do you need to do it so that's a impact protection impact assessment is done necessarily to evaluate whether the information you're collecting is high risk so this is majorly done in companies that are collecting lots of data and data that would probably be high risk because also according to the data protection act there are certain exemptions in terms of registering also so for example you're still a startup and you have less than nine nine employees and your turnover is below a certain amount there are certain exemptions you're actually exempted from registering with them because they also look at what is your turnover and your capabilities as well however there are certain areas in which regardless of the number of employees regardless of the turnover you still mandated to you still mandated to register for example the health sector hospitality yeah and all that yeah and what is the who does the assessment for now for the big companies who is tasked to do the impact so for example a data protection officer at data protection specialist is mandated as a company you will hire a data protection officer because also that's one of the requirements that you could do and if you're not there yet you're not a big company you're still starting out you can actually outsource data protection officer yeah to do that for you so so that you can get at least a data protection experts who can conduct all the risk assessments that is necessary and be able to just tell you forward what are some of the organizational and security measures you can take yeah for more you seated and you know you said that our data protection act is still young we have not really stayed with it so the awareness isn't that we haven't really reached a reach where we can say everyone knows about it but how would you what is the compliance rates you know how would you say people have taken it so far you'd find that mostly the major companies who have the most risk and also who will face the most repercussions in terms of personal data are mostly compliant but when you find that for example this SMEs the compliance rate is still a bit low you find for some they will claim it's because of the capacity maybe some some some of these people cannot maybe afford however this is something that you still mandated to do so for SMEs it's still low for major companies like Sappariko, Miyate which process a lot of personal data it's mandatory and most of them have complied but you'll also see for example in the organizations there still a few organizations that have not done that we've also found that apart from the small smaller medium enterprises you find that there's still there's still more awareness that it that needs to be done in terms of data protection so majorly the uptake with big companies it's on a big scale all right so now we've talked about me giving my data and it being used without my consent and you know how you know the repercussions that are there but now there's this case where I did not even give you my data and you have my data and you're sending me news and texts you know those betting farms that send you messages and this I got from one of our viewers the message the question so he's asking what do we need to do you know what do you what do you do to stop those kind of messages from getting to you I would say for example there was a case where someone a lot of people have received such myself have received a lot of unsolicited messages and you wonder where your data was taken yeah so for that you actually raise you go and complain at the office of the data protection commissioner they have their website they have a section on complaint where you will read your information the details where you got that info that a text unsolicited text from and also it's important to also document the evidence that they actually sent you that so you find that even the office of the data protection I have played a huge role in terms of data protection awareness because you find that for most companies unless I receive a penalty notice or enforcement notice that is when I will take action and actually comply with that protection laws so in such a scenario just complain to the office of the data protection commissioner on their website write the details and they will investigate and they will take the necessary action to stop it okay and is this the same also when you have any other complaint you when you know your data like or what happened in that university when you know that your data has been used wrongly do do use the same routes go to the office of the data protection commissioner or the website and issue a complaint or do you need to go physically which one is more effective physically to the office of the data protection okay as you can see most of our services right now government services so majority mostly you'll just go to their website all the information will be there they also do a certain amount of awareness campaigns however they only deal with issues on data protection so if it's around it's not around that scope you can just seek judicial regress and go to a lawyer will institute that case in court yeah so far what are some of the data issues data privacy issues and trends that have emerged recently we have the issue of surveillance and it's actually a major topic right now in terms of for example as you saw because of some of these family side cases you saw that it's most of them are mandated that they are BCC TV so there was also an issue around that how do you balance privacy and security at the same time so there's the issue of AI and automated decision-making so you find that for example in certain videos or automated AI kind of fake deepfakes they have raised certain issues in terms of privacy concerns so you would you mind explaining deepfakes for those that don't know about it okay okay so deepfakes are mostly as you can see there are certain videos that you see and it's not that person who has said that yeah so it's something that was generated through artificial intelligence yeah and that also bring other issues of misinformation and disinformation so that is a major issue right now and that's why there's the need of an AI policy because you only have one in the in the whole world we have very few guidelines and also just one EU AI act so the issue of AI and privacy has also been something that is major and also for example when you use certain even when you use some of this AI apps also some of this machine learning like charge gbt so you know you put all your information there exactly so that is also another issue they have your information they have all your information okay and we don't know how you know how they're going to use it exactly accountable to how they use it and there's our data protection act also you know put into hold accountable those companies that the international companies that have our information like we use google use you know do they hold them accountable also so as you can see from the case of the world coin yes yeah so that was actually one of the major cases that came around in terms of data protection how are they using their data it's a company that is not from Kenya that is collecting some of our sensitive information because biometrics are also very sensitive information and those are instances it's actually included in the data protection act in terms of cross border transfers in terms of international cooperation and all that so there are certain procedures that the office of the data protection I will take to hold certain to be able to hold certain companies accountable and in that case it's by let's say limiting them limiting not giving them the registration certificates if if they do the investigation and see that this is actually infringing your rights to privacy and also your data protection your data is not protected enough so those are some of the instances where the law has put in place to be able to protect your personal data from some of these international companies yes okay I think we're doing great on that and before we come to a close you tell us about the best practices to follow to protect our data I know there's this you know elements of implementing data protection by design or by default so kindly elaborate on this so privacy by design essentially talks about while you're developing let's say any any app or any tech tech that is going to be used you ensure that in the development stage in the in the initial stages that you incorporate the the privacy aspect okay in it so this is this is also actually one of the principles in terms of privacy by design privacy by default so by design is you design the innovation itself by ensuring that it is incorporated in the beginning stages and it's the privacy by default now it's later on by ensuring that you take the necessary measures actions like what most companies are doing exactly all right yeah okay so as we close on this what are some of the best practices as an individual to to follow in order to make sure that our data is safe yes um first of all I would like to say this might seem like these things that you do but they hold significant aspects so for example your password to not use a very easy password yeah exactly just put your expected as it says put an uppercase a lowercase a numeral yes do all that and let it not be very predictable also another thing you can do is and do not save it in your computer oh yes okay yeah so you're not supposed to click on remember password no you'd rather like just write somewhere all your passwords because when you say remember there are certain aspects there there are hackers out here that can be able to access because you've saved it through um maybe your computer or anything so that is also something that you you could take okay so you'd rather log in every time that you're using a website or whatever okay it can't protect your data also another thing is use the two-factor authentication method that is there and um also anywhere you go it's very necessary that you know your rights as a data subject ensure that um you have the right to consent anywhere you feel like someone is asking for your data you have the right to ask what how are you using this data because one of the requirements for data controllers and data processors is that uh when you're collecting any data for a data subject and that means any company that is taking your data for whatever purpose they're supposed to tell you what they're using that data for for what purpose they're going to use it for for how long they're going to retain it because that's also an issue and also if you feel like um they're taking too much data that is not necessary that is also one of the principles that you as a data subject you're you're mandated to to tell them no this is too much uh I don't think I can give uh use this data and yeah all right so it's just the small basic things that we can you know we can implement and it makes all the difference yes as an individual as an individual as a company you have a broad aspect that uh there's a lot you have to do first of all it's very important to have a data protection officer or outsource the serve if um compared to your capabilities it's very important to register with the officer of the data protection commissioner because they also mandate if there's any data breach you're supposed to um you you you just let them know and indicate to them within 72 hours that there was a data breach and this and this happened so that they can be able to also look into it okay and also as a company just put the necessary organizational and company measures you're you have to have also privacy policies privacy and data protection policies to ensure that um as the if any data subject comes they they're able to read look also you as a person when you log into certain uh apps when you download download them websites I know a lot of people are just to get this but just look at the privacy policy what it says and ensure that your data is not going to be used for whatever purpose yeah so we shouldn't say no you want to say agree you know you just got rights to agreeing without knowing how exactly they're going to use your data so it's very important thank you very much Linda do you have anything that you want to add us to ask before we close um just be aware and sure be aware about your data protection rights as a data subject and if you don't know where to find some of these laws you can just go to the office of the data protection commissioner website and look at some of these guidance notes some of these issues in terms of data protection for us as king ICT action network we do a lot of awareness and advocacy on data protection so to ensure that we also have a safe online environment and be able so that as we as the future digital we are able to take advantage of some of this take what the technology offers and by that ensuring that also our data is safe and we are not just leaving our data out there for for whatever purposes okay thank you very much Linda for coming on board and sharing such amazing insights on this topic we hope to have you again thank you so much thank you for having me most welcome so that has been uh Linda who's a lawyer and also a data protection specialist at kickton at talking to us about data protection and privacy compliance in Kenya I hope you've taken a lot from this remember you are a data subject there's the data protection uh you know uh the data processor rather the data controller and we all have our duties on this if you are a data subject know how you uh take care of your personal data so that it's not used anyhow only give consent to your data if you are an owner of a company if you're into the prenuah SME uh you know make sure that you are compliant to the data protection act register with the office of the data protection uh commissioner and uh do your due diligence on everything that has been it on sport of tech my name is we take a short break and then we are back with entertainment stick with us