INTERNATIONAL REGULATION TRENDS ON E-ARCHIVING & DATA PRIVACY
The General Data Protection Regulation (GDPR) came into effect for Europe and the UK on 25 May 2018. The main thrust of this directive is to try and give people increased control over their personal data. It requires organizations to proactively ensure compliance in order to safeguard, not only their direct customer’s data, but also anyone who transmits their data through interaction with the firm’s products. In its current form, the GDPR has set provisions for fines up to €20 million for offenders or up to 4% of annual worldwide turnover for the data controller.
While the GDPR may be a European regulation, it is one that Kenya companies will need to monitor as it directly relates to the growing consumer trend for more control over personal data. More locally, Kenya generally has an unregulated space with respect to data protection and does not currently have specific data protection legislation. However, new legislation in the form of the Kenya Data Protection Bill 2018 is set to change the landscape. This is envisioned to provide regulation around registration of data controllers, establishing principles of data collection and defining who has grounds for collecting, processing and storing sensitive personal data. This will create a compliance issue for many companies if they do not start taking the necessary early steps now to understand the regulation and its impact, and prepare for any necessary implementation activities. This will have a significant impact on how companies store data, whether physical or electronic, as well as who they partner with to achieve this.
Kenya’s use of third party customer data without owner permissions is quite evident across many sectors. With digital loans reaching 6.1 million Kenyans in 2018, concerns are being raised about loan applications using data mining algorithms of private cell phone data to establish affordability and loan terms and to target potential customers. This is just the iceberg tip of the problem. As standardization and global adoption become more real in the East African context, companies will soon be in a rush to comply with data protection laws.
Trying to implement an enterprise wide response to a new regulation can be quite costly and it is more efficient for companies to become data aware and start taking focused implementation steps towards full compliance within an agreed period, which would be before the regulations would come into effect. So what does this mean for firms that have deployed physical archives as well as digital storage systems and processes? Archiving user data will have increasing magnitude of gravity and entail more protection than ever. The time to take up GDPR and Data Protection Regulation is now. In order to mitigate the in-house risk of technology failure and key-man risk, and to increase robustness and redundancy, employing an outsourced compliant archiving service is essential for companies that handle personal data.
As companies seek to comply with the increasing regulation around data use, there are some key principles around the GDPR regulation, and particularly Article 5 of the regulation, that can guide company implementation objectives:
Personal data should be processed fairly and transparently by organizations
The use of any data collected must be specific, explicit and legitimate
Use of the data should be limited to the purpose for which the data was requested
Organizations need to reasonably ensure that personal data is up to date.
In addition to this, there is increasing regulation around the rights of individuals, especially those whose data is in use by companies. People will now have the right to be informed about how their data will be used as well as have access to their personal data when required. Firms will also have to simplify ways in which people can correct erroneous or inaccurate data about them and whether their data has been disclosed to third parties. Interestingly, the ‘right to be forgotten’ is now enshrined in these laws. This means that individuals with reason can request for their data to be permanently erased from records which brings new challenges for record keeping and accountability.
With the noose tightening with requirements that companies must demonstrate compliance, seeking advice from a reputable Electronic Archiving partner will go a long way to ensuring data strategies protect firms in the short and long term. This will embed data protection in data digitization and storage processes by design and default. Engaging a partner means that organizations will save cost in investing in the technology, processes and training to secure and manage personal data as well as being prepared for third party audits ensuring controls are enforced, and can be presented to the regulator in a timely manner.
Denis Githinji – Customer Experience Manager C&R Group
No comment