The Office of the Data Protection Commissioner (ODPC) wants companies and businesses that fail to comply with data logging to be denied business licenses.
The ODCP is set to discuss with regulators in sectors such as insurance, investment banking, betting and gambling, telecommunications and hospitality to make data logging a prerequisite for the issuance of an operating license.
The bureau is now pushing for industry regulations to be changed to reflect this requirement, citing the Central Bank of Kenya (Amendment) Act 2021 which saw mobile money lenders fall under the scrutiny of the CBK and required them to have a certificate in accordance with data protection law.
“We are entering into discussions with regulators to make this a prerequisite for you to board for your license. This is in everyone’s interest,” said Data Protection Commissioner Immaculate Kassez.
ALSO READ: Data privacy boost as new rules come into effect
The regulations require all public and private entities that process personal data to register, including NGOs, churches and businesses operating CCTV systems off their premises.
The requirement covers companies and organizations that process personal information to solicit political support, gambling, crime prevention and the prosecution of offenders.
Others include schools, hospitals and businesses in the hospitality industry excluding tour guides, property management companies, financial service providers, telecommunications operators, direct marketing, transport services and companies that process genetic data and any other organization with human resources functions.
Earlier this year, the CBK Amendment Act was enacted and gave the banking regulator the power to license and supervise digital credit providers.
Digital lenders have been consistently accused of breaching the privacy of defaulting borrowers’ information and hiding the terms of their loans, paving the way for predatory lending.
ALSO READ: Digital lenders under investigation for sharing defaulters’ data
The tougher data protection rules follow reports that more than a fifth of Kenyan businesses were sharing customers’ financial and personal information with third parties without the customer’s consent for analytics, transaction processing , sending SMS alerts or to advertisers.
The ODPC will also list companies that have complied on their website for their customers to see after obtaining the registration license.