Is Your Visitor Management Aligned with Kenya’s Data Protection Law?
Following the enactment of the Data Protection Law (DPL) and the establishment of the Office of the Data Protection Commissioner (ODPC), the Data Protection (General) Regulations 2021 are now in full force. These regulations apply to all businesses that handle personal data in Kenya. This is evidenced by the recent action by the ODPC to issue penalty notices to several data controllers for failing to observe the data privacy rights of data subjects and to comply with the Data Protection Law.
Data Protection Law Compliance:
The Data Protection Law Regulations define rights for data subjects and responsibilities for data controllers, processors, and third parties handling personal data. This legal framework requires organizations to review their data management practices, including visitor management.
Entities are expected to comply with the DPL by implementing data protection principles and safeguards that ensure that the processing of personal data is in compliance with the provisions of the act Failure to comply with the act will result in the institution of enforcement procedures.
Visitor Data Compliance Risks:
Many organizations still use manual visitor registration methods like Visitor Books, which now pose compliance risks under the new laws.
Compliance with the Data Protection law is essential, with significant penalties for violations. Fines of up to KES. 5 million (approx. USD. 50,000) or 1% of annual turnover can be imposed for non-compliance, and failure to comply with the Commissioner’s orders is considered an offense. Data subjects can also seek compensation for damages.
DPL Compliance Requirements for Visitor Management:
- Use visible signage for automated registration systems to explain data purposes and relevant supporting legal frameworks.
- Be transparent about data collection intentions and use; Store data only for necessary periods, restrict access to authorized individuals, and implement security measures like encryption and passwords.
The three fundamental principles guiding the ODPC:
Any processing or Data should be lawful and fair, it should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed
Consider using a Digital Visitor Management System (VMS) with built-in features like consent agreements, opt-out options, and data encryption. SOJA VMS offers solutions to help organizations achieve full compliance with the Act.
Contact us to learn more about how SOJA VMS can assist your organization in achieving full compliance.