ENOCK KIPTOO, LLB

IGNITE PROGRAM DATA PROTECTION ASSIGNMENT

Your organization collects more data than necessary for processing customer orders, including
sensitive information such as social security numbers and medical history.

Guilty. The law requires collection of personal data to be adequate, relevant and limited to what is
necessary in relation to the purposes for which it is processed. The law requires data controllers and
processors to only collect data for a purpose that is lawful, specific and explicitly defined (s. 28 Data
Protection Act, 2019, hereinafter, DPA). Regulation 6(2)(a) of the Data Protection (General)
Regulations 2021 requires that in collecting personal data, companies will ensure that its processing
is limited to only that which has been permitted by the data subject or customer. Where an
organization collects unnecessary information, they are in violation of the customer’s right to
privacy. Under s. 29(c) of the DPA, the data controller is required to inform the data subject the
purpose for which their personal data is being collected. Collecting sensitive information from
customers without notifying them of the purpose of collection is a breach of privacy. Companies
should structure their data collection systems in a manner that is in accordance with the elements of
purpose limitation set out in Regulation 31.

Your organization obtains clear consent from customers before using their data for marketing
purposes, ensuring compliance with privacy regulations.

Not guilty. S. 25(a) provides that personal data should be processed in accordance with the data
subject’s right to privacy. The data subject has a right to be informed of the use to which their
personal data is to be put under s. 26(a) of the DPA. Furthermore, s. 30 (1)(a) of the DPA requires a
company to only process information after the data subject has consented to its processing for a
specified purpose. Obtaining their consent to use the data and informing them that it will be used for
marketing some of the organization’s products or services is in accordance with Kenyan privacy law.
Given that marketing is a commercial purpose, the organization must process the data according to
the regulations set out for processing of personal data for commercial use. The organization should
also inform the customer of their right to withdraw their consent, and the consequences of
withdrawing their consent to the processing of their personal data acquired through prior consent.

Your company fails to regularly update and correct inaccurate customer information in its
database, leading to errors in billing statements and delivery addresses.

Guilty. It is a breach of the Data Protection Act to disclose personal information such as physical
addresses to third parties, regardless of whether the sharing of data was due to an error or not.
Furthermore, the data subject has a right to correction or deletion of false and misleading data
about them (s. 26(d)&(e)). Section 41(4) of the DPA requires data processors to identify internal and
external risks to personal data and to establish and maintain appropriate safeguards against such
risks. Failure to regularly update and correct inaccurate customer information is a failure on the data
processor’s part to set up an internal audit of risks to personal data in their custody.

Your marketing department shares customer email addresses with third-party advertisers without
obtaining explicit consent, using the data for unrelated promotional campaigns.

Guilty. Section 26(a) of the DPA gives data owners the right to be informed of the use to which their
personal data is going to be put. Marketing departments are discouraged from processing personal
information without seeking the data subject’s consent by s. 30(1)(a) of the DPA. As such, failure to
inform data subject that their personal information is going to be used in a promotional campaign
and seeking their consent is unlawful. Subsequently, promotional campaigns fall within the ambit of
commercial utilization of personal data. The requirements as to commercial use of data as set out in
s. 37 of the DPA must therefore be adhered to.

Your organization experiences a data breach due to inaccurate cybersecurity measures, resulting
in unauthorized access to sensitive employee payroll information.

Unauthorized access of personal information is unlawful. The law requires data centres to take
appropriate measures to ensure that their operation does not put to risk personal and sensitive
information of data subjects in their custody. Section 41(4)(c) requires data controllers and
processors to put in place measures that ensure the pseudonymisation and encryption of personal
data. An organization’s failure to incorporate measures that will thwart cyberattack attempts and
protect customer data will be liable in the case that the personal information of the customers is
accessed by an unauthorized third party.