Through its press release, the ODPC indicated that an audit process has begun on 40 digital lenders who it now requires to provide documents relating to their data protection systems by 18 October 2022. Failure to meet this requirement is deemed to constitute an offence under the Data Protection Act (Act).
This article discusses the powers of the ODPC, the complaints mechanisms and remedies for data subjects and the penalties that may be imposed on data controllers and data processors under the Act and the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 (Regulations).
Functions and powers of the ODPC
The Act clothes the ODPC with broad supervisory powers in relation to the processing of personal data. Firstly, the ODPC is mandated to register all data controllers and data processors that meet the threshold for registration under the law. Our legal alert on the requirement for registration with the ODPC as a data controller or data processor may be read here.
The registration process gives the ODPC some insight into the sort of personal data and sensitive personal data that data controllers and data processors are processing, the risks involved, the measures taken to manage these risks, and the size of the operations of any applicants for registration. The registration process forms a good starting premise for the execution of the ODPC’s supervisory mandate. However, as at September 2022, it had not gained much traction as only a reported 19% of surveyed firms had actually registered as data controllers or data processors. The ODPC’s own press release (also in September) indicated that only 1,660 applications had been received and only 332 applicants had been issued with registration certificates.
Besides its mandate as a registrar for data controllers and processors, the ODPC has the following broad oversight functions under the Act:
- overseeing data processing operations, either of its own volition or at the request of a data subject and verifying whether the processing of data is done in accordance with the Act;
- conducting assessments either on its own initiative or otherwise for the purpose of ascertaining whether personal data is processed in accordance with the Act or any other relevant law;
- receiving and investigating any complaints on infringements of rights under the Act; and
- carrying out inspections of public and private entities to evaluate the processing of personal data.
The Act also provides the ODPC with the broad supervisory power to:
- conduct investigations on its own initiative or otherwise;
- issue summons to a witness for investigative purposes;
- require any person that is subject to the Act to provide explanations, information and assistance in person and in writing;
- impose administrative fines for failures to comply with the Act;
- carry out periodical audits of the processes and systems of data controllers or data processors to ensure compliance with the Act;
- undertake any activity necessary for the fulfilment of any of the functions of the ODPC; and
- exercise any powers prescribed by any other legislation.
The above powers (especially the last two) are manifestly broad in their wording, purpose and applicability and offer legitimacy to the ODPC’s ongoing audit process.
Complaints to the ODPC
The Act allows for complaints to be lodged orally or in writing, including through electronic means such as email or web posting (e.g., through the ODPC’s website). Complaints must be investigated and concluded by the ODPC within 90 days in line with the Regulations and may be lodged by a complainant in person or by a person acting on their behalf or even anonymously.
The ODPC is required to acknowledge a received complaint within 7 days and thereafter to vet it prior to either admitting it for investigation or advising the complainant that the matter falls outside its mandate or within the mandate of another institution, and then referring it to that other institution. Complaints may also be denied admission if they don’t raise any issues under the Act.
Upon admission of a complaint, the ODPC is required to notify the respondent of the complaint lodged against them within 21 days and may conduct an inquiry or investigation, or facilitate the resolution of the complaint through mediation, conciliation, negotiation or other mechanisms. Within the 21-day period, the respondent is also required to make representations and provide any relevant material or evidence in support, review the complaint with a view of summarily resolving the complaint to the satisfaction of the complainant, or provide a response with the required information. Upon the conclusion of investigations into a complaint, the ODPC is required to make a determination in writing setting out, among other things, its decision and the remedy to which the complainant is entitled. Such decisions of the ODPC are binding and enforceable in the same manner that court orders are enforced.
Penalties and remedies under the Act
Where the ODPC finds fault with any respondent pursuant to a complaint, it may issue an enforcement notice requiring the respondent to take certain prescribed steps to correct its contravention of the law. Where any recommended remedial measures prescribed under the enforcement notice are not carried out by the respondent within the timeframe set out, an offence is committed under the law. The concomitant penalty upon conviction is a fine of up to KES 5 million and/or a jail term of up to 2 years. An administrative penalty of up to KES 5 million or, in the case of an undertaking, up to 1% of its annual turnover for the preceding financial year (whichever is lower) may also be issued by the ODPC.
Key take aways
The issuance of the assessment and audit notice is a clear signal to all entities that handle personal data and sensitive personal data that the ODPC is actively exercising its oversight mandate and keeping a close eye on the sectors that are experiencing widespread abuse of data subject rights under the Act. Reports of inappropriate use of personal data for commercial purposes (such as marketing and debt collection purposes in the digital lending sector) have dominated the instances of reported abuse of data subjects’ rights and have no doubt contributed to the ongoing assessment and audit. It is likely that other sectors that leverage the digital usage of personal data for commercial purposes as well as entities that handle large volumes of sensitive personal data will also be brought under the ODPC’s scrutiny. Relevant stakeholders therefore ought to take measures to align their data processing activities with the Act and Regulations so as to avoid becoming the subject of the exercise of any supervisory or oversight directives from the ODPC. Examples of possible compliance measures include:
- conducting internal data protection compliance audits including the review of data processing agreements, privacy policies/manuals and processing operations;
- conducting technical security safeguards appropriateness checks; and
carrying out data protection awareness training to help strengthen the culture of data protection among staff/personnel within an organisation.