Home Data Security Approval granted to an additional 500 data handlers within a three-month period

Approval granted to an additional 500 data handlers within a three-month period

ODPC Director General Immaculate Kassait

Over the span of three months, ending in August 2023, the Office of the Data Protection Commissioner (ODPC) granted approval to an additional 505 data handlers. This has brought the total number of approved data handlers to 2,808, a notable increase from the 2,303 recorded at the end of May.

The process of registering data handlers was initiated on July 14th of the previous year following the enactment of regulations by Parliament. These regulations necessitate that all entities dealing with personal information must register as data processors and controllers.

These regulations encompass the Data Protection (General) Regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021.

In January, Data Protection Commissioner Immaculate Kassait introduced a data protection registration system designed to empower applicants in streamlining the registration process for enhanced compliance.

Prior to the implementation of this system, only 1,417 entities had received certification during a six-and-a-half-month registration campaign. The system allows eligible entities to apply for registration through the ODPC website, have their documentation verified, and receive a digital certificate. The registration costs range between Sh4,000 and Sh40,000.

Entities found to be in violation of these regulations may face fines not exceeding Sh5 million or up to one percent of their annual turnover. Smaller organizations with an annual turnover of less than Sh5 million or less than 10 staff members are exempted from this registration requirement.

This legislative action was prompted by a surge in complaints concerning the absence of data protection laws and the misuse of personal information, particularly by digital lenders, political parties, and human resource (HR) managers.

The categories of entities subject to mandatory registration encompass telecommunications firms, digital ride-hailing service providers, building managers, as well as businesses operating CCTV, dispensaries, primary, and secondary schools.

Immaculate Kassait identified 13 sectors that require compulsory registration, including genetic data processors such as medical research companies and medical labs, bars, restaurants, healthcare providers, law firms, property managers, real estate agencies, and financial service providers like digital lenders, Saccos, and mobile money agents.