Why Todays CIO, CISO, Digital Manager and Head Of I.T Must Be Conversant with Data Protection and Privacy Laws
Introduction
The positions of CIO, CISO, Digital Manager and Head Of I.T now have to be conversant with the provisions of the Kenyan Data Protection Act, 2019 & The Computer Misuse and Cybercrimes Act; as well as common gaps in information security practices within the organization.
 
The fourth industrial revolution has altered traditional business structures in all sectors.  It has ushered in data-fueled transformations. Most business models have evolved to incorporate processing of varied classes of customer data to inform or enhance processes, decision making, and revenue models. Use of A.I to offer better business insights from big data is now a common phenomenon. In the last decade, we have witnessed the rise of fully data-driven businesses like Airbnb, Uber and Facebook; Data-infused businesses like Amazon, Netflix and Jumia and Data-informed businesses like financial services institutions which have anchored the relevance of data to a business.  Data has been re-defined and re-classified as a strategic economic asset in many corporate books, requiring careful management.  
 
Information collected and processed to drive business models can include personal information such as ID/Passport number, credit/debit card details, residential address, behavioural data collected based on customers online activity and transactional and product preferences. Intellectual property rights arise in relation to data management. For instance, data licensing, data ownership, database copyright are all considerations that need to be made while dealing with data.
 
The adoption of data driven models demonstrates increased reliance on data. This calls for good data governance practices. Failure to observe this exposes the organization to regulatory non-compliance risk, reputational risk and business confidentiality risk. To mitigate these risks, many organizations have embraced practices like regular audits on their business processes and systems, confidentiality risks assessments, effective management of Vendor relationships, management of the contracting processes, management of their IP security processes and technical data protection measures.
 
Data breach caused by cyber-attacks
Cyber-attacks have steadily increased over the last decade and have evolved into one of the principal risks posed to a business. Malicious attackers have developed and shared a wide array of technical software tools and social engineering techniques to infiltrate private computer networks and systems. Once successfully inside a private network, the malicious actor has the potential to extract, destroy, or otherwise adversely affect personal data under the control of the business organisation. The criminal actions of these malicious entities adversely affect the rights of data subjects and tarnish the business reputation of affected organisations.
 
Public bodies
Public bodies and county institutions are increasingly becoming a suitable class of target for cyber attackers. Kenya is steadily transitioning towards the provision of government e-services to increase accessibility and ease of engagement. E-citizen is the online platform that provides access to all government services including digital payments. The introduction of Huduma Bill, 2019 analyzed here which establishes a national integrated identity management system demonstrates further the steps taken towards the full digital operation of government services. 
 
Though there are no official reports released to the public, there has been talk of disruption of essential government services in Kenya by cybercriminals demanding a ransom. For instance, in 2019, seventeen websites operated by Government ministries and parastatals were said to have experienced cyber-attacks, crippling delivery of services.
Down South, the City of Johannesburg experienced two independent ransomware attacks during which the malicious attackers accessed the City’s I.T infrastructure and threatened to leak passwords and other critical information unless a ransom of four bitcoins was paid. The attack, as reported here, forced City officials to terminate the distribution of various services until the breach was contained and effectively managed. The second attack was on the City's Electric Power distribution which disabled payment services and even denied power to some parts of the city.
 
The law
The Constitution of Kenya guarantees the right to privacy. Organisations which collect, manage and process personal data are advised to observe the data protection principles enshrined in the DPA which is the primary legislation regulating the processing of personal data in Kenya. Some of the common techniques deployed by malicious entities and are considered illegal under the Computer Misuse and Cybercrimes Act, Data Protection Act, 2019, Kenya Information and Communications Act and the Penal Code are; phishing attacks, malware, ransomware, supply chain compromise, distributed denial of service (DDOS), packet sniffing and virtual private network (VPN) vulnerabilities.
 
Organisations face a multitude of negative impacts upon the discovery and determination of a data breach;
  1. Financial loss brought about by operational downtime, theft of financial data, drop in stock prices, loss of intellectual property, increased security costs, additional PR costs to rebrand the organisation’s image after the data breach, Increased insurance premiums and the imposition of legal fines under S. 63 DPA (a maximum fine of five million Kenya Shillings or one per centum of the annual turnover of the organisation, whichever is lower);
  2. Negative business reputation which affects the ability to attract new customers, future investment and new employees to the company, Consumer Trust, Jeopardises future investments and the development of new partnerships, increased customer turnover, Online vandalism;
  3. Operational downtime upon discovery of the data breach;
  4. Legal action by affected parties. For instance, in the British Airways Case in the UK, the personal data of approximately 500,000 customers was compromised in an incident, which is believed to have begun in June 2018. The Information Commissioner’s Office’s (ICO) investigation established that a variety of information was compromised due to poor security arrangements at the company, including login, payment card, and travel booking details as well as name and address information. British Airways was issued a notice of intent to be fined a total of £183.4 million by the ICO.
What considerations should be made to minimize negligent data breaches and close common information security gaps?
Map out a clear Data breach notification process
Data controllers are obligated, upon the discovery of a personal data breach, to record the facts relating to the breach, effects of the data breach on the organisation and its relevant stakeholders and the remedial action adopted.
Be aware your obligations to the Data Commissioner 
Upon the discovery of a data breach which has the potential of real risk to, or has already harmed data subjects, data controllers are required to notify the Data Commissioner's Office within seventy-two hours. Data controllers are authorised to restrict communication of details of the data breach to be necessary and proportionate for purposes of prevention, detection and investigation of an offence.
"Notification and communication of the data breaches serves amongst other purposes, to help create a database recording the various details of breaches."
The DCO is unlikely to impose administrative fines for accidental breaches, where it can be determined that the organisation was not negligent and had implemented and configured the appropriate technical and organisational measures to secure their computer databases, devices and network. Notification and communication of the data breaches serves amongst other purposes, to help create a database recording the various details of breaches. Technical information about the breaches is shared globally in order to develop defensive mechanisms to address the vulnerability exploited.
Negligence leading to a data breach would be a huge factor in the considerations evaluated by the DCO before reaching a decision on the appropriate actions to be taken. Negligence can stem from actions taken by internal staff, third parties or sub-contractors, which can either aggravate or mitigate the liability of the breached organization.
Be aware of your obligations to the data subject
Organisations are under a duty to notify and inform affected data subjects of the data breach, within a reasonable time period, through written communication.
The KDPA provides for a sole circumstance under which data controllers are not obligated to notify affected data subjects about a data breach. If the data controller or processor has implemented appropriate security safeguards to render the compromised personal data useless to the malicious attacker. The KDPA specifically notes encryption of data as an appropriate safeguard, which implies the security safeguards should ensure the anonymity of the affected data subjects.
Where a data controller contracts a data processor to manage and process data on its behalf, the data processor is obligated to notify the data controller within forty-eight hours of the discovery of a data breach.
Mitigate against liability for data breaches
Data controllers and data processors should adopt minimum safeguards as standard practice to ensure the confidentiality and integrity of the computer networks, and the databases that contain critical information stored within.
"Organisations should strive to adhere to the provisions of  S.41(1) and S.42(2) & (4) of the KDPA, which provide for the realization of the data protection principles and integration of safeguards adequate to the nature of processing undertaken."
If organisations can demonstrate compliance with these provisions in the event of a data breach, the status of the implementation of appropriate technical and organisational measures shall serve as mitigation before courts or tribunals when establishing the liability of the organisation.
 
Organisations can mitigate against potential liability caused by data breaches by adopting the measures laid out below.
  1. Develop a Written Information Security Programme (WISP) detailing the information security policies and procedures of the organisation.
  2. Carry out a Data Protection Act Gap analysis
  3. If the organisation processes large volumes of personal data on a regular and systematic basis, it is best practice for such organizations to appoint a Data Protection Officer. A DPO has an understanding of the processing activities of the organization and ensures that processing of personal data is performed in accordance with the KDPA and industry-specific regulations and guidelines. External DPOs are increasingly becoming popular due to their independent critical ability and lower cost compared to hiring a full-time internal DPO. Furthermore, high-level management roles and various I.T positions are incompatible with a DPO due to conflicts of interest in the performance of their respective duties. 
  4. Carry out regular Data Protection Impact Assessments when applying a new technology or where the processing of data may pose a high risk to the data subjects by virtue of nature, scope, context and purpose of processing. The DPIA report envisages a thorough audit of all processing activities and evaluates the potential risks discovered. It is best practice for organizations that regularly and systematically process personal data to conduct DPIAs on a bi-annual basis. The more frequently an organization conducts DPIAs, the more aware and prepared they are to handle data breaches, as it is truly a matter of when not if it will happen.
  5. Organizations should perform an audit on all current ICT contracts with stakeholders to assess the level of risk associated with third party obligations in relation to data breaches.
  6. Organizations are encouraged to perform thorough due diligence on third parties before engaging in further transactions. This includes understanding the technical security measures adopted by stakeholders to whom personal data has been transferred.
  7. Organization-wide training and awareness to adequately prepare staff for social engineering attacks and on the latest infiltration techniques utilized by cybercriminals. Further, training and awareness on the organization’s obligations to data subjects is necessary so as to align all departments and business teams.
  8. Organizations are encouraged to establish a compliance team comprising of various business teams.
  9. Develop a data map which aids the organization in assessing what data they hold, where they hold it and the legal reasons of collecting it.
  10. Develop policies, notices and necessary documentation to aid in demonstrating compliance of the relevant laws, respond to data subject requests, aid in forensic investigations and guide internal processes.
For further information, contact tmt@tripleoklaw.com
Contacts