Data and Commerce
- CIPIT |
- October 31, 2023 |
The executive summary for the report:
Banking institutions, as with many other entities, are increasingly handling personal data owing to an increased use of different technologies to offer banking services. Increased handling of such personal data coupled with new statutory requirements relating to data protection have placed renewed emphasis on the efforts used by banks to create and communicate policies for handling data subjects’ information. This report analyses the publicly available data policies of commercial banks in Kenya, providing an overview of the approaches taken by the studied banks with respect to data protection for existing and prospective customers.
This report compares the banks’ data policy provisions against a data protection standard developed using the provisions of existing national and international data protection regimes, including the Kenya Data Protection Act 2019 (DPA) and the European General Data Protection Regulation (GDPR). This standard comprises three broad indicators: data collection, data sharing, and the rights of data subjects. Compliance with these indicators is measured using tabulated analyses showing the individual and aggregated performance of the banks.
The report’s conclusions are derived from research conducted in Kenya in 2019 and 2020. A total of 32 policies were identified and analyzed, all of which were in existence prior to the enactment of the Kenya DPA. This report is therefore a baseline study of the policies; the report anticipates that there will be changes in banking policies as the DPA is put into practice. The findings in this report will be useful for comparative purposes as the DPA is implemented and enforced.
Key Findings
On average, the banks were found to be more likely to have unclear or incomplete policy provisions in all categories. Provisions relating to data collection were the most compliant while provisions relating to rights of data subjects had the lowest compliance score.
There is a notable variance in the performance of banks with regard to rights of data subjects. A large number of banks lacked any policy provisions in this category while a similarly large number of banks were clustered at the higher scores. This disparity suggests that the banks took two general approaches, i.e., to exclude policy provisions relating to data subjects’ rights altogether, or to incorporate such provisions clearly and completely.
Overall, provisions relating to the purpose of processing data were the most compliant among all provisions in all categories. Provisions relating to the rights of data subjects to object to the outcome of an automated decision were the least compliant. Clarity or completeness of provisions was a problem for a large number of the policies, and the overall readability of the policies may present challenges to banking customers that are likely to have a wide range of formal education.
Although the report highlights that the banking sector falls short of what we consider internationally-recognized norms in data protection, the data also show that data protection policies are widely present in the sector, and can be modified to become compliant.
Summary
The increased use of digital platforms in Kenya has changed the manner in which marketing is conducted. Many companies and individuals have embraced direct marketing because it is affordable, enables one to attract new customers fast and one can reach target customers efficiently. The importance of direct marketing to a marketer is that it allows him to promote the product or service directly to his target audience. The availability of various marketing tools and the benefits that accrue with direct marketing has attracted many businesses thus causing many to incorporate the practice in their daily activities.
The purpose of this policy brief was to identify existing Kenyan laws that are applicable to the practice of direct marketing, identify any gaps in these legislations and come up with policy recommendations based on comparison with other jurisdictions. The approach used involved doctrinal research which was useful in analysing existing Kenyan laws to identify direct marketing provisions. A comparative analysis approach was also employed and it was useful in coming up with appropriate policy recommendations based on the gaps identified.
The findings from the policy brief indicate that:
-
Kenya already has four laws that are applicable to the practice of direct marketing.
-
Key definitions which are fundamental ingredients of direct marketing are not included in the legislations analysed.
-
The existence of big data has transformed how marketing is conducted.
-
External jurisdictions have made an effort to protect data subjects in the commercial use of personal data.
-
Numerous jurisdictions have updated their privacy laws and subsequently included direct marketing provisions so as to protect consumer data and measure up with global marketing privacy standards.
The full policy brief attached herein contains the detailed analysis of the findings that were obtained and the policy recommendations that were made.
Summary
SMEs (small and mid-size enterprises) play a crucial role in job creation and contribution towards the Gross Domestic Product (GDP) in Kenya. In order to reach many customers, SMEs have embraced digitalization and some are utilizing personal data to advertise products to potential customers. Various direct marketing tools are now being used to reach customers and this has been made possible through the use of social media, email and also applications designed for sending text messages. The use of personal data for commercial purposes means that SMEs are required to comply with data protection requirements.
This SME Manual on commercial use of personal data (direct marketing) in Kenya is meant to inform SMEs of the legal and regulatory landscape that govern the commercial use of personal data. It is also designed to enable SMEs grasp fundamental terminologies involved in direct marketing and the data protection requirements they are supposed to comply with when engaging in direct marketing practices. For compliance purposes, the manual contains a checklist formulated in accordance with the Data Protection Act 2019 and the Data Protection General Regulations 2021 that will enable marketers to comply with the law and avoid sending unsolicited communication to potential customers.
Privacy Score Card Report
Summary
Together with Unwanted Witness (UW) the Center for Intellectual Property and Information Technology Law (CIPIT) contributed to towards the 2022 Privacy Score Card report where we evaluated data protection compliance in three sectors in Kenya and Uganda. The evaluation focused on the financial services, telecommunication and e-commerce sectors. The primary methodology for the evaluation looked at the privacy policies of 2 select companies within the sectors and assessing the privacy policies through five core indicators.
Existence of an accessible public, readable, and noticeable privacy policy
Informed consent: this looked at the company’s contact details, purpose of data collection, type of data being collected, rights of the data subject
Data Collection and Third – party data transfer: Information on which parties have access to collected data
Data Security: security of the web browser, validity of the website, technical and organizational measures utilized to secure data.
Accountability: Published transparency report in the year under review.
The primary findings from the report showed,
There is ongoing compliance with data protection laws, however, there are gaps and areas of improvement that need to be addressed.
The compliance of the Kenyan sectors stood at 47.4%
Compliance in the Kenyan financial sector stood at 49%, the e-commerce sector stood at 53.8% and the telecommunication sector stood at (39.4%)
The percentages reflected above are a measure of compliance of the companies in the respective sectors on account of the evaluation on their respective publicly available privacy policies and not internal data protection and privacy policies.
This report reflects the findings from Kenya. The findings of both Kenya and Uganda are reflected in the 2022 Privacy Score Card.