By Grace Bomu*
CIPIT welcomes the publication of the Data Protection Bill by Kenya’s National Assembly. The center has been involved in policy development for the digital economy in Kenya and Africa at large. In 2014, CIPIT gave input to the African Union Convention on Cybersecurity and Personal Data Protection, emphasizing on the need to protect and promote the right to privacy. Since then, there has been massive development in the data economy in both the public and private sector. CIPIT has previously recommended a comprehensive data protection framework for Kenya.
The Centre has reviewed the proposed law and submitted comments to the Clerk of the National Assembly. From our interaction with micro, small and medium enterprises (MSMEs) in the digital space, we have observed that these entities work in extremely different circumstances from traditional enterprises. Some of them are one-person operations that outsource services such as accounting on a need basis. It would be difficult for them to comply with the registration requirements, compared to larger entities that have dedicated compliance departments. We, therefore, propose that as the Bill requires registration of data processors and controllers, the data protection framework be tiered, and that consideration be given to the type of data being handled by data processors and controllers.Continue reading