Blogs and publications

Data Privacy and Protection: Guidance Note to Kenya’s Digital Financial Services - Report

September 1st, 2021

In May 2017, a special focus in The Economist likened data to the fuel of the future, noting that “data are to this century what oil was to the last one: a driver of growth and change” predicting that the largest conglomerates of the future will be data-driven firms like Google, Tencent, Amazon, and so on, in much the same way the previous century’s oil and manufacturing conglomerates defined the industrial revolution.

The ecosystem in Kenya is very much on this path, albeit on a significantly smaller scale. Kenya’s digital financial services ecosystem is built on the premise of alternative data sources and information sharing to inform decisions, business models and monetisation models. The bits and bytes flowing through these enterprise-led innovations have given rise to a range of digital offers in traditional financial services such as mobile applications that provide small loans using information stored on an individual’s smart phone. At the same time, innovation around data has grown over the years to adjacencies in ride-hailing, trade and input platforms, gig worker platforms, agricultural-initiatives and health financing.

While the innovations have increased financial inclusion and enabled Kenya to become a focal point of the digital finance movement,1 it also lifts the hood on the need to address potential risks in the context of data privacy and protection.  The risks relate to but are not limited to how data is owned, extracted, shared, stored and secured while preserving the right to privacy.  Competition concerns equally loom large as data is a resource which can yield windfall returns to those who extract and own it in large quantities. However, these risks are not unique to Kenya. Most countries are considering or have developed relevant rules and frameworks to address them.

In Kenya, the Data Protection Act (the Act) was enacted in 2019 to regulate the processing of personal data and provide for the rights of data subjects and the obligations of data processors and controllers.  The provisions of the Act are well intentioned and far reaching, encompassing foundational principles such as lawfulness, fairness, transparency, accuracy, confidentiality and accountability. Perhaps more imperative, the Act is built upon a fundamental principle that personal data is collected with a clear legal basis, with the data captured against a known use. The Act also has a wide scope that provides clear guidance on the limitation of collection as well as the rules for accountability within an organization that collects and stores personal data. Whereas a raft of guidance notes and draft regulations have been published, the framework is still evolving and further guidance notes and regulations are expected.

It is not simply about the de jure rules (laws, regulations and guidelines) but also the de factohow these rules are applied and impact on market participants. Enforcement mechanisms are critical in ensuring that the intent of any given rule is achieved within a given context.  However, providers too should have a strong collective interest in ensuring that their businesses and processes align with the underlying needs and interests of their customers, even in the absence of rules. This is particularly pertinent in the context of data privacy and protection where the definition of a data subject as ‘an identified or identifiable natural person underpins the philosophy of the supremacy of individual rights over their own data. In financial services, this sets the backdrop of how individuals’ data is used to inform the design of solutions.

For providers, a key imperative should be about ensuring that the protection of their customers’ data and the preservation of their privacy is not just ticking a box to comply with the rules.  Product design, business practices, processes and operations should keep customers at the fore to drive greater user interactions. The advent of the digital age means that providers must increasingly bear the responsibility to safeguard their customers and build trust in digital products. This is within the context of new and poor customers, who are coming into the digital world for the first time. Research by CGAP show that the poor value privacy and are willing to pay for it, adding to the calls for dialogue about how data can serve the interests of poor people.

Developing and implementing new approaches that put the customer first will require that:

  • Consent must be specifically obtained and not captured as part of general terms and conditions that leaves the data capture open to potential abuse. Even where consent is granted,the onus of responsibility should shift to providers  as the current consent models are inadequate in the digital world. Research shows that it would take the average person 76 days to read all the data disclosures.
  • A data subject should have the right to access their personal data. This should include the right to correct or erase information that is incorrect but subsequently processed.
  • Data must be processed in a transparent manner, with the data subject informed of the use to which their personal data is to be put, collected for explicit and specified purposes.
  • Only data that is required for the delivery of a service should be captured.
  • A data subject must not be discriminated against on the basis of their choices on how to exercise their data protection rights.
  • A data subject should have the right to have their data moved from one controller or processor to another. This movement should be as simple as possible.
  • All categories of data, structured and unstructured must be protected, including photos, emails, scanned documents or hard copy documents.

While some of the principles listed above are enshrined in Kenya’s data protection law, others are not. However, there is an opportunity for providers to get ahead of the game versus retroactively asking for change after breaches and enforcement issues arise. To achieve this, providers need to start thinking about the practicalities of complying with the law in a practical and pragmatic manner while putting the customer first. At the same time, dialogue is required on how to address operational and implementation elements. For instance, while the law requires data processors and controllers to comply with a Data Subject Access Request, how can a firm practically implement this? What tools and resources can a firm use to develop a data flow map? How can a firm manage and handle unstructured data? Are there examples of firms that are doing these well that could be emulated? What bad practices should be avoided?

FSD Kenya in partnership with LexTego and MFX Partners has developed a guidance note that highlights the practical options and ways that the innovation and DFS ecosystem could start to comply with the law in a pragmatic manner while keeping the customer in mind. The focus of the guidance note is on the provisions in the Data Protection Act and the draft regulations and guidance notes, but also drawing from best practice in other markets. The expectation is that the guidance note will help to catalyse conversations on the realities of compliance with the customer in mind.

Download the Data Privacy and Protection: Guidance Note to Kenya’s Digital Financial Services


Data Protection in a Fintech context – Presentation



FSD Kenya newsletter

Stay informed with regular updates from FSD Kenya

Subscribe to our mailing list

Our partners