Data Protectors Podcast
The Data Protectors Podcast brings together Kenyan and European experts to explore different aspects of data protection compliance, share lessons learned, and identify opportunities created with the enactment of Kenya's Data Protection Act and the European Union's General Data Protection Regulation (GDPR).
Its objective is to help small businesses, data processors and collectors in Kenya to comply with these data protection regulations, raising awareness of how data protection laws affect their organisations and the data subjects from whom they collect data.
Episode 1: Principles of data protection
The first episode of the Data Protectors Podcast touches on data protection principles and how small businesses and organisations can integrate them into their operations.
Whereas SMEs, start-ups and small civil society organisations are slightly different in their business models, they all face similar challenges regarding data protection compliance. More often than not, these organisations are resource-starved, meaning that they lack the capacity to, among other things, invest in compliance or the capacity to hire skilled data protection officers to guide them through compliance.
Our speakers Liesa Borghaert and Mercy Mutindi delve into the seven data protection principles: (1) lawfulness, fairness, and transparency; (2) purpose limitation; (3) storage limitation; (4) data minimalisation; (5) accuracy; (6) integrity and confidentiality; and (7) accountability. Most importantly, they provide practical advice on how to incorporate these principles into organisations’ day-to-day operations.
- Megan Kathure, Tech policy analyst
- Mercy Mutindi, General Counsel & Director Compliance at Wasoko
- Liesa Boghaert, Attorney-at-law at Timelex and GDPR expert
Episode 2: Registration as a data controller or processor
The Data Protection Act 2019 introduced an obligation for certain entities that process personal data in Kenya to register with the Data Protection Commissioner (ODPC). Specifically, all data controllers and processors that have an annual turnover or annual revenue above Kenya Shillings five million (KES 5,000,000/=) and/or more than ten (10) employees must register with the ODPC. However, even smaller organizations with a turnover below 5 million shillings and less than 10 employees must register if they operate in certain sectors.
In the second episode of the Data Protectors Podcast, Rosemary Koech and Elaine Wangari explore who is required to register, why it is important to register and how exactly one can register with the Office of the Data Protection Commissioner.
- Priya Shah, Director of Risk and Privacy Compliance at Carepay Ltd
- Elaine Wangari, Data Protection Specialist at HTB Group London
- Rosemary Koech, Co-organizer of Nairobi Legal Hackers and DPO at KCB Group
Episode 3: The cost of compliance
Episodes 1 and 2 of the Data Protectors Podcast presented the data protection principles and the first component of compliance, which is registration. Episode 3 builds on these themes to further explore the costs of complying with the Data Protection Act.
In this episode, moderated by Susan Wajiku, lawyers Catherine Kariuki and Cynthia Chepkemoi detail what documentation small and medium-sized enterprises need to be compliant. They also explain how to get the relevant documents in a cost-effective manner. Finally, they provide useful guidance on how to get Data Protection Officers without breaking the bank.
- Susan Wanjiku, Digital Ecosystem Advisor at GIZ-DTC Kenya
- Catherine Kariuki-Mulika, TMT Partner at TripleOKLaw Advocates
- Cynthia Chepkemoi, Data Protection Counsel
Episode 4: Cross-border data transfers
According to the Data Protection Act of 2019, a data controller or data processor may transfer personal data to another country only where proof has been given to the Data Commissioner that the data will be transferred securely to a place with equal or stronger data protection laws compared to Kenya. However, there are also certain situations where data can be transferred without notifying the Data Commissioner, such as when the transfer is for legitimate interest, public interest or has the consent of the data subject.
In this episode, John Walubengo and Simon Verschaeve explore what a cross-border data transfer is, the legal requirements when it comes to cross-border data transfers, and some lessons learned from Europe’s experience.
- Lemmy Kamau, Advocate of the High Court of Kenya and Data Protection and Privacy Specialist
- John Walubengo, Lecturer and Data Protection expert
- Simon Verschaeve, Data Protection Lawyer at DLA Piper
Episode 5: Engaging with data protection authorities
Episode 5 of the Data Protectors podcast introduces SMEs to the Office of the Data Protection Commissioner (ODPC) and explains how they can build a good relationship with the Office. This episode stars Tamar Kaldani, who is the former Data Commissioner of Georgia. and Rose Mosero, who is the Kenyan Deputy Data Commissioner, in a sizzling conversation moderated by Catherine Muya.
Our speakers demystify the role of the ODPC in Kenya and separate myths from truth as Rose Mosero clarifies how SMEs can effectively engage the ODPC, report any complaints they might have, and get their issues addressed and resolved speedily by the ODPC. Tamar Kaldani shares some lessons for both regulators and SMEs on how to build a good relationship with each other and maximize the benefits.
- Catherine Muya, Program Officer, Digital Policy at ARTICLE 19 Eastern Africa
- Tamar Kaldani, Former Data Commissioner of Georgia
- Rose Mosero, Deputy Data Commissioner of Kenya
Episode 6: The future of data protection
Episode 6 of the Data Protectors Podcast takes a radical shift from previous episodes by taking a crystal ball and trying to paint a picture of the future of data protection and data security in Kenya and the world. This episode stars Tarun Samtani, a senior privacy practitioner with experience across different countries such as the United Kingdom and Singapore, and Francis Monyango, a certified information privacy manager with experience practising and teaching data protection in Kenya.
Under the moderation of Ochieng’ Ogango, speakers tackle diverse issues like awareness of data subject rights, decentralised identity, fines against big tech companies and how they will shape the future of privacy in the next one or two decades. Listen to this episode to discover their forecasts.
- Ochieng Ogango, Advocate of the High Court of Kenya
- Tarun Samtani, Advisory Board Member, International Association of Privacy Professionals (IAPP)
- Francis Monyango, Privacy and Data Protection Practitioner
Episode 7: The role of academia
For the past six episodes, the Data Protectors Podcast has looked at current issues such as the data protection principles, the cost of compliance, cross-border data transfers and how to engage with data protection authorities. Episode 6 presented an interesting discussion on what experts foresee the future of data protection will look like. Today’s conversation focuses on the role that academic institutions and scholars can play in advancing data protection.
In the scintillating discussion moderated by Sumaiyah Omar, the speakers, Dr Patricia Boshe and Grace Mutung’u guide listeners on easy-to-read publications and courses that they can access to build their capacity on data protection issues. The episode also gives a sneak peek into the interesting work that both researchers are doing in the academic space to advance data protection.
- Sumaiyah Omar, Advocate of the High Court of Kenya, Data Protection Officer
- Grace Mutung'u, Digital Policy Researcher
- Dr Patricia Boshe, Lecturer and a Senior Researcher, University of Passau (Germany)
Episode 8: The role of civil society
In this concluding episode, the Data Protectors Podcast focuses on the role of civil society in advocating for the right to data privacy. It features an interesting discussion about the challenges that civil society organizations encounter in their efforts related to data privacy as well as the importance of collaboration between civil society organizations worldwide.
In this 8th episode, under the skillful moderation of Mercy Kingori from the Future of Privacy Forum, Elliot Bendinelli from Privacy International and Meshack Masibo from KICTANET share their insights on harnessing partnerships in Kenya, Europe and beyond to strengthen the advancement of data protection.
- Mercy Kingori, Policy Analyst Africa at Future of Privacy Forum
- Elliot Bendinelli, Program Director at Privacy International
- Meshack Masibo, Data Protectors Podcast Project Manager, KICTAnet
This podcast is produced by KICTANET and GIZ/DTC Kenya, in collaboration with Nairobi Legal Hackers, as part of the AU-EU D4D Hub project