In Kenya data protection is handled in several sections of the law:

• 2010 constitution Article 31 and Article 2 that gives a right to privacy
• Kenya Information and Communications Act (KICA) sections 30,31 and 32 that deals with any unauthorized interception of messages in a telecommunication network.
• Computer and Cyber-crimes Act 2018 sections 11 and 14 deal with reporting breaches and unauthorized access.
• Data protection Act 2019 applies to the processing of personal data by organizations.

The Constitution of Kenya guarantees the right to privacy as a fundamental right. To give effect to this constitutional right under Article 31(c) and (d), the Data Protection Act, 2019 was enacted and came into effect on 25 November 2019.

The Act applies to all processing of personal data by any data controller or data processor (Organization that collects data from its clients) established or resident in Kenya and who processes personal data while in Kenya, or not established/residing in Kenya but processing personal information of data people located in Kenya. Personal data may only be processed on the lawful basis provided under the Data Protection Act.

The Data Protection Act, however, comes in to provide a legal framework on personal data usage.

The law sets out several requirements that must be put in place when handling another’s data and this includes processing and profiling. If you are encouraging customers to register for SMS Marketing as part of general registration, there must be an opt-in for this channel that is either blank or set to ‘no’. Although this has been best practice for some time now, many websites have continued to use a pre-ticked box on such forms that sign the customer up for marketing and other communications unless they choose to opt out.

The data must be handled lawfully, accurately and the data subject’s consent must be given before it is shared with third parties. In the case of a business, when a client gives you their personal information, then you must honour the law’s provisions when interacting with that data. For example, you cannot disclose their information to others without seeking the consent of your customers. In addition, you should not keep and use personally identifiable data beyond its intended use. For marketing purposes and before the transfer of data to a 3rd party, Data Subjects are required to give consent first to the Data controller.

Furthermore, you should not transfer personal data outside Kenya unless there is proof that another country has adequate data protection safeguards or consent for the Data Subjects. There was an initial fear around this but this allows the use of services like cloud-based IT services. There is a caveat in that the office of the Data Protection Commissioner can prohibit and restrict this. A Data controller has to submit to the office of the Data Protection Commissioner and Data Subjects a notification of breach on personal data within 72 hours.

For SMS Marketing, this means including an opt-out option in every message – which those already using SMS marketing should have already been doing. It is also essential to ensure that the option to opt-out of SMS Marketing communications is available elsewhere, for example via an obvious, dedicated link on your website. Your terms and conditions should also make clear how to specifically opt out of SMS communications, as well as other channels.

It is therefore important to ensure your organization has a good understanding and documented record of the data held and the specific permission to use it. In addition, it is also important to check if it is now necessary to gain or refresh consent for the data you hold – in the case of SMS Marketing lists, there may well be a need to ask customers to refresh their permission.

Companies are now required to ensure there is a defined policy for how long personal data is retained, to make sure that it is not retained unnecessarily and ensure its kept up to date. You should also have an effective system for managing opt-outs to ensure that such users wish are respected.