EY Kenya Data Protection & Privacy Survey, 2022, was launched mid this year with a goal to firstly gauge how far along organisations are in their compliance journeys. Secondly, to identify the difficulties that companies are having in their pursuit of compliance. Thirdly, identify the important success factors for firms that have attained a high level of data protection and privacy maturity.
From February 2022 through May 2022, EY (Ernst and Young) conducted surveys at several businesses, including top banks, insurance firms, SACCOs, and healthcare facilities. This was mostly done through interviewing the senior executives, legal teams, technology teams and risks management teams.
From the survey, 50% of the organisations operate outside Kenya. For these organisations, a data controller or processor may transmit personal data to another nation under the following:
- The personal data is protected and secured with appropriate measures, which have been implemented.
- The Data Commissioner has issued a determination regarding sufficiency.
- Consent has been obtained from the data subject.
- Binding corporate rules are in place for a group of enterprises
The following was noted from the survey concerning the governing documents that have been formally established:
b) 27% have established data protection/privacy framework
c) 19% have established data protection/privacy strategy
d) 4% have not yet established any governing document
The survey made the following observations concerning the standard operating procedures that support daily data protection and privacy operation tasks in the organisations:
a) 21% use data classification procedure
b) 20% use training and awareness procedure
c) 16% use breach management procedure
d) 15% use third party risk management procedure
e) 13% use the DPIA procedure
f) 7% use the DSAR procedure
g) 5% use the personal information inventory procedure
h) 3% do not use a standard operating procedure
On how frequently the companies do privacy audits, the survey revealed that;
a) 32% temporarily
b) 25% annually
c) 25% have never conducted privacy audit
d) 6% once every two years
e) 6% do it quarterly
f) 6% conduct semi-annually
56% of the organisations were reported to have a Data Protection Officer and further, 78% of the organisations confirmed that the Data Protection Officer performed other roles in the organisation including CISO, data governance, the roles of a chief risk officer, records officer, information security manager and those of ICT.
19% of the Data Protection Officers report to the Board of Directors, 38% report to the Head of Risk while 43% report to other people in the organisations including Head of Audit, Legal and Head of Data & Analytics.
From the survey, a Data Protection Officer may work for an organisation as a staff member and perform other jobs as long as they don’t create a conflict of interest. Further, the contact information for the DPO must be shared with the Data Commissioner and made available on the website of the data controller or processor.
The roles of a Data Protection Officer include;
i. Informing staff about the Data Protection Act or any other written law
ii. Facilitating compliance with the Data Protection Act
iii. Promoting the development of staff members involved in data processing operations
iv. Giving guidance on data protection impact assessment
v. Working together on data protection issues with the Data Commissioner and any other authorities.
Further, the survey revealed that 75% of the organisations do not have a privacy steering committee. The composition of the committee from the other 25% consisted of data owners, risk, legal, compliance, CISO, audit, data governance, IT security and business change management.
28% of the organisations have data privacy champions, another 28% have data privacy program managers, 6% have data privacy analysts while 38% did not have the roles.
68% offer mandatory data training to their employees whereby 30% of the organisations offering mandatory data training and/or education did it periodically, another 30% annually, 205 trained quarterly while 20% conduct data privacy training semi-annually.
On the category of training, the survey revealed that 32% trained on general privacy awareness for all employees, 19% focused on role-based training for specific employees, another 19% offered sponsored courses/certifications to their employees, 16% trained on customer privacy awareness while 12 % offered board level training.
On the type of technologies being actualized in the organisations, the survey noted the following:
i. 20% use endpoint protection
ii. 14% use DS/IPS
iii. 13% use encryption
iv. 13% use PAM
v. 13% use SIEM
vi. 9% use Data classification
vii. 9% use DLP
viii. 9% use PIM
The survey also noted that 19% of the organisations had registered with the Office of the Data Commissioner while 12% having submitted a Data Protection Impact Assessment report and no organisation have submitted a breach notification to the Data Commissioner since the commencement of the Kenya Data Protection Act. 2% of the organisations have responded to a data subject access request or complaint.
It was a major concern that the absence of support from senior and executive management is a major source of frustration for firms trying to comply with data protection and privacy laws. In the end, this leads to the misallocation or shortage of resources. For instance, a company might not have the staff to monitor, create, and maintain an internal data protection and privacy program, let alone a budget designated specifically for such efforts.
Finally, the survey concluded by appealing to organisations to start their path toward compliance and work continuously to maintain compliance.