In May 2017, a special focus in The Economist likened data to the fuel of the future, noting that “data are to this century what oil was to the last one: a driver of growth and change” predicting that the largest conglomerates of the future will be data-driven firms like Google, Tencent, Amazon, and so on, in much the same way the previous century’s oil and manufacturing conglomerates defined the industrial revolution.
The ecosystem in Kenya is very much on this path, albeit on a significantly smaller scale. Kenya’s digital financial services ecosystem is built on the premise of alternative data sources and information sharing to inform decisions, business models and monetisation models. The bits and bytes flowing through these enterprise-led innovations have given rise to a range of digital offers in traditional financial services such as mobile applications that provide small loans using information stored on an individual’s smart phone. At the same time, innovation around data has grown over the years to adjacencies in ride-hailing, trade and input platforms, gig worker platforms, agricultural-initiatives and health financing.
While the innovations have increased financial inclusion and enabled Kenya to become a focal point of the digital finance movement,1 it also lifts the hood on the need to address potential risks in the context of data privacy and protection. The risks relate to but are not limited to how data is owned, extracted, shared, stored and secured while preserving the right to privacy. Competition concerns equally loom large as data is a resource which can yield windfall returns to those who extract and own it in large quantities. However, these risks are not unique to Kenya. Most countries are considering or have developed relevant rules and frameworks to address them.
In Kenya, the Data Protection Act (the Act) was enacted in 2019 to regulate the processing of personal data and provide for the rights of data subjects and the obligations of data processors and controllers. The provisions of the Act are well intentioned and far reaching, encompassing foundational principles such as lawfulness, fairness, transparency, accuracy, confidentiality and accountability. Perhaps more imperative, the Act is built upon a fundamental principle that personal data is collected with a clear legal basis, with the data captured against a known use. The Act also has a wide scope that provides clear guidance on the limitation of collection as well as the rules for accountability within an organization that collects and stores personal data. Whereas a raft of guidance notes and draft regulations have been published, the framework is still evolving and further guidance notes and regulations are expected.
It is not simply about the de jure rules (laws, regulations and guidelines) but also the de facto, how these rules are applied and impact on market participants. Enforcement mechanisms are critical in ensuring that the intent of any given rule is achieved within a given context. However, providers too should have a strong collective interest in ensuring that their businesses and processes align with the underlying needs and interests of their customers, even in the absence of rules. This is particularly pertinent in the context of data privacy and protection where the definition of a data subject as ‘an identified or identifiable natural person’ underpins the philosophy of the supremacy of individual rights over their own data. In financial services, this sets the backdrop of how individuals’ data is used to inform the design of solutions.
For providers, a key imperative should be about ensuring that the protection of their customers’ data and the preservation of their privacy is not just ticking a box to comply with the rules. Product design, business practices, processes and operations should keep customers at the fore to drive greater user interactions. The advent of the digital age means that providers must increasingly bear the responsibility to safeguard their customers and build trust in digital products. This is within the context of new and poor customers, who are coming into the digital world for the first time. Research by CGAP show that the poor value privacy and are willing to pay for it, adding to the calls for dialogue about how data can serve the interests of poor people.
Developing and implementing new approaches that put the customer first will require that:
While some of the principles listed above are enshrined in Kenya’s data protection law, others are not. However, there is an opportunity for providers to get ahead of the game versus retroactively asking for change after breaches and enforcement issues arise. To achieve this, providers need to start thinking about the practicalities of complying with the law in a practical and pragmatic manner while putting the customer first. At the same time, dialogue is required on how to address operational and implementation elements. For instance, while the law requires data processors and controllers to comply with a Data Subject Access Request, how can a firm practically implement this? What tools and resources can a firm use to develop a data flow map? How can a firm manage and handle unstructured data? Are there examples of firms that are doing these well that could be emulated? What bad practices should be avoided?
FSD Kenya in partnership with LexTego and MFX Partners has developed a guidance note that highlights the practical options and ways that the innovation and DFS ecosystem could start to comply with the law in a pragmatic manner while keeping the customer in mind. The focus of the guidance note is on the provisions in the Data Protection Act and the draft regulations and guidance notes, but also drawing from best practice in other markets. The expectation is that the guidance note will help to catalyse conversations on the realities of compliance with the customer in mind.