Loading
Kenyan Businesses Fined Over KES 26 Million For Privacy Violations
Insight Compliance

Kenyan Businesses Fined Over KES 26 Million For Privacy Violations

The ODPC has been stepping up its enforcement of data protection laws in Kenya, with numerous fines levied against non-compliant businesses since 2022.

Scroll

Kenyan Businesses Fined Over KES 26 Million For Privacy Violations

The Office of the Data Protection Commissioner (ODPC) in Kenya has been sending a clear message to businesses operating within the country: data privacy is a serious matter, and non-compliance can have severe financial consequences. In the past few years, the ODPC has levied fines totaling over KES 26 million against entities that have violated the Data Protection Act and Regulations.

While the ODPC has been active in enforcing data protection laws, many businesses in Kenya remain unaware of their obligations or are simply neglecting to comply. This has resulted in a growing number of data privacy violations, which can have serious consequences for both businesses and consumers.

Understanding The ODPC’s Role

The ODPC plays a crucial role in promoting data privacy in Kenya. The office is responsible for:

  • Enforcing the Data Protection Act and Regulations: The ODPC investigates complaints of data privacy violations and takes enforcement action against non-compliant businesses.
  • Providing guidance and education: The ODPC provides guidance and education to businesses and individuals on data privacy laws and best practices.
  • Promoting awareness of data privacy issues: The ODPC works to raise awareness of data privacy issues among the public and businesses.

ODPC Enforcement Actions (2022 – 2024)

As at September 2024, there are records showing that the ODPC has fined at least nine (9) businesses a collective sum of KES 26,275,000 for data privacy violations, including:

  • Oppo Kenya (2022): Fined KES 5,000,000 for posting an individual’s photo on their Instagram stories without consent.
  • Whitepath Limited (2023): Fined KES 5,000,000 for accessing customer contacts via their applications and sending unsolicited messages.
  • Regus Kenya (2023): Fined KES 5,000,000 for continuously spamming users with automated improper information, even when asked to stop.
  • Mulla Pride (2023): Fined KES 2,975,000 for obtaining names and contact information from third parties and using them to send threatening messages and phone calls in its digital credit operations.
  • Casa Vera Lounge (2023): Fined KES 1,850,000 for posting a reveler’s image on their social media platform without obtaining consent.
  • Roma School (2023): Fined KES 4,550,000 for posting minors’ pictures without parental consent.
  • Zerox Technology (2024): Fined KES 500,000, payable to the complainant, for registering them as an emergency contact in a loan application without consent, and contacting them repeatedly when the loan was defaulted on.
  • Nova Pioneer Limited (2024): Fined KES 950,000, payable to the complainant, for using their image on two billboards and their website without obtaining consent.
  • SBM Bank (2024): Fined KES 450,000, payable to the complainant, for sending 327 spam email messages to a non-customer of the bank over the course of 10 months.

These cases demonstrate the ODPC's commitment to enforcing data privacy laws and holding businesses accountable for their actions and non-compliance.

Compliance Challenges Faced by Businesses

Businesses in Kenya face a number of challenges in complying with data protection laws, including:

  • Complexity of laws: Data protection laws can be complex and difficult to understand. Businesses may need to hire experts to help them navigate these laws.
  • Limited resources: Small and medium-sized businesses may lack the resources to invest in data protection compliance.
  • Rapidly evolving technology: The digital landscape is constantly evolving, making it difficult for businesses to keep up with the latest data protection trends and best practices.

Compliance Support for Businesses

We help businesses in Kenya address data protection compliance challenges and ensure compliance with the Data Protection Act (2019) and Data Protection Regulations (2021). Our team of experts can assist with:

  • Industry-Specific Threat Assessment: We'll identify your unique cyber threats based on your industry, allowing for a tailored security approach.
  • Prioritized Risk Management: We'll assess and prioritize your security risks, ensuring efficient resource allocation and focused protection efforts.
  • Streamlined Compliance Gap Analysis: We'll identify any gaps in your current compliance practices and provide actionable steps for closure.
  • Policy Development: We'll craft a robust cybersecurity policy framework that aligns with industry standards and strengthens your data protection posture.
  • Security Control Implementation: We'll implement industry-leading security controls that effectively safeguard your data and information systems.
  • Data Controller Application Assistance: We'll guide you through the ODPC data controller registration process, ensuring a smooth and successful application.
  • Cybersecurity Awareness Training: We’ll educate your employees on identifying and reporting cyber threats such as phishing attempts.

The Future of Data Privacy in Kenya

Data privacy is a growing concern in Kenya, and the ODPC is expected to continue to play a key role in promoting data privacy and enforcing data protection laws. As the digital landscape continues to evolve, businesses will need to adapt their data privacy practices to stay ahead of emerging threats and challenges.

Conclusion

Data privacy is a critical issue that businesses in Kenya must take seriously. By understanding the Data Protection Act and Regulations, implementing robust security measures, and obtaining necessary consent, businesses can avoid costly fines and penalties. CADMUS Cyber Solutions can help you navigate the complexities of data privacy and ensure compliance with the law. Learn more about our cyber risk management solutions here.

By Raymond Musumba, CFE
Published 03 October 2024
Compliance Data Privacy Data Protection Kenya ODPC Regulations
Prev — Risk Management How Background Checks Can Protect Your Business
Back to Insights Listing
Related Posts

Other Insights You May Like

chevron_right View More Insights
arrow_outward
How To Protect Your WordPress Website From Attacks
How To Protect Your WordPress Website From Attacks
arrow_outward
Leveraging DMARC and BIMI to Authenticate Email
Leveraging DMARC and BIMI to Authenticate Email
arrow_outward
Work From Home Cyber Security Tips for Remote Workers
Work From Home Cyber Security Tips for Remote Workers
Data Breach? Contact Us