Kenyan Companies Face GDPR Compliance Challenges
The General Data Protection Regulation (GDPR) came into effect in May 2018, and Kenyan companies that deal with EU citizens’ personal data are under increasing pressure to comply with the new regulations. The GDPR aims to protect individuals’ personal data and provide them with more control over how their information is used.
Who are the Recipients of the Data?
The recipients of the data are primarily European Union (EU) residents, who have entrusted their personal data to Kenyan companies for various purposes such as business transactions, marketing, or online services. The GDPR requires that these companies ensure:
- The confidentiality and integrity of processing systems
- Pseudonymization and encryption of personal data
Period of Time the Data Will be Processed
The period of time the data will be processed depends on the purpose it was collected for. If the data is no longer necessary for the original purpose, it must be erased. However, if there are other legitimate purposes, such as marketing or legal obligations, the data may need to be retained.
Meaningful Information about How the Information is Used
Kenyan companies processing personal data of EU residents must provide transparent information about how their personal data is used and stored. This includes:
- Providing a clear explanation of the purpose and duration for which the data will be processed
- Informing individuals about their rights to access, rectify, or erase their personal data
Right to Be Informed
Under the GDPR, EU residents have the right to be informed about any transfer of their personal data to another country or organization. Kenyan companies must:
- Provide this information
- Ensure that the recipient also complies with GDPR requirements
Right to Erasure (Right to Be Forgotten)
EU residents also have the right to erasure, which means they can request that their personal data be deleted from a company’s systems. Kenyan companies must comply with these requests unless there are legitimate reasons for retaining the data.
Consequences of Non-Compliance
Non-compliance with the GDPR can result in severe penalties, including:
- Fines up to €20 million or 4% of a company’s global annual turnover
- Therefore, it is crucial that Kenyan companies take proactive steps to ensure GDPR compliance.
Way Forward
To navigate the complex process of GDPR compliance, Kenyan companies are advised to invest significant time and resources into understanding the regulations and implementing necessary changes. PwC Kenya offers expert advice on:
- Drafting or reviewing contracts to ensure GDPR compliance
- Mitigating risks associated with non-compliance
For more information or assistance, please contact:
- Joseph Githaiga, Head of Regulatory Compliance & Advisory: joseph.githaiga@pwc.com +254 20 285 5401
- Gachini Macharia, Manager: gachini.macharia@pwc.com +254 20 285 5805
- Jehaan Ara Kassam, Senior Associate: jehaan.kassam@pwc.com +254 20 285 5026