The Office of the Data Protection Commissioner (ODPC) vide a Gazette Notice No. 4697 informed the public that a Regulatory Impact Assessment (RIA) on the proposed Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 had been prepared. The aim of the RIA is to assess the impact of the Regulations on the community and businesses. The objective of the Regulations is to facilitate the registration of data controllers and data processors pursuant to Part III of the Data Protection Act, 2019.

The RIA provides a detailed evaluation of the potential impact that the regulations may have in order to determine whether the Regulations will achieve the desired results. Furthermore, the RIA is geared towards ensuring that the Regulations are welfare-enhancing from the societal viewpoint, in that, the benefits will surpass costs. The RIA therefore has an objective of improving the understanding of the real-world impact of regulatory action, including both the benefits and the costs of action, integrating multiple policy objectives, improving transparency and consultation and enhancing governmental accountability.

Regulatory Impact Assessments are based on Part III of the Statutory Instruments Act, 2013 (‘the Act’). The Act notes that where a proposed statutory instrument is likely to impose significant costs on the community, the regulation making authority shall prepare a regulatory impact statement about the instrument. A RIA should give details of the proposed statutory instrument in clear and precise language as well as include: –

(a) “a statement of the objectives of the proposed legislation and the reasons for them;

(b) a statement explaining the effect of the proposed legislation, including in the case of a proposed legislation which is to amend an existing statutory instrument the effect on the operation of the existing statutory instrument;

(c) a statement of other practicable means of achieving those objectives, including other regulatory as well as non-regulatory options;

(d) an assessment of the costs and benefits of the proposed statutory rule and of any other practicable means of achieving the same objectives;

(e) the reasons why the other means are not appropriate;

(f) any other matters specified by the guidelines;

(g) a draft copy of the proposed statutory rule.”

The assessment of the costs and benefits in the RIA should include an assessment of the economic, environmental and social impact as well as the likely administration and compliance costs including the resource allocations costs. 

In regards to the impact on Fundamental rights and Freedoms, Environment and administrative actions, the RIA notes that it will not have any negative impact. Importantly, the draft Regulations do not contain provisions that have a likelihood of impairing or prejudicing the right to any fair administrative action of an individual.

The Regulations impose additional costs on the private sector as the private sector is required to register and renew fees in registering as data controllers or data processors. However, though this is the case, the RIA notes that it is expected that the registration of data controllers and data processors will motivate the legal compliance of all entities that are processing personal data. Consequently, this will enhance the business management aspect of processing personal data by better management and storage of personal data, leading to better business practices. The requirement to register that attracts the cost will equally enhance customer security given that all persons processing personal data would register. Importantly, the requirement to display the registration certificate will instil faith in data subjects ensuring that the personal data of citizens is handled in accordance with the Law.

Regarding the Public Sector, the RIA notes that the Regulations impose additional costs on the sector. This is because it requires entities within the Sector to register either as data controllers or data processors thereby attracting registration and renewal fees. On the other hand, it is anticipated that the benefit that the Sector will gain is the assurance to the general public and business community that the sector entities have committed to handling personal data of data subjects in compliance with the Data Protection Act and specifically in adherence to the principles of data protection. Furthermore, a positive externality will flow from this imposition to the extent that it would directly create demand for more business, hence contributing to the growth of the gross domestic product (GDP). Additionally, simplified provisions of registration reduce the compliance.

The Statutory Instruments Act requires that alternatives to the regulations be listed. To comply with this provision, the RIA notes that the draft regulation is not the only means of realizing policy objectives intended in overseeing the conduct of data controllers and data processors. The other alternatives that could be useful in dealing with certain aspects of personal data protection to the RIA are Policy guidelines, self-regulation, co-regulation and procedural guidance notes as the alternatives.

In addition, the RIA also notes that the small enterprises stand to gain from the draft regulations. This is due to the fact that the data controllers and data processors that have less than 10 employees and a turnover/revenue less than KES 5 Million are exempt from registration. This is expected to create a positive impact in terms of providing incentives to the small enterprises.

It is also anticipated that the net benefit will increase even when data controllers and data processors are making renewal of their registrations. The cost of renewal is lower than the cost of registration. In addition, there are other numerous non-monetary benefits that registered data controllers and processors stand to gain including improving their reputation and trust with clients and funders. Generally, according to the RIA, it is anticipated that newer industries in the data protection ecosystem will be created thus creating jobs and improving the growth of Kenyan economy as well as boost international trade.

Members likely to be affected by the proposed Regulations have been advised to submit a written memorandum and send it to the email – dataprotectionregulations@odpc.go.ke within fourteen (14) from 13th May, 2021.