ICT Regulator to Grant No Special Permissions for SMEs When Processing Personal Data


The Data Protection Bill, 2019 has been talked about for the better part of 2019. The bill, which was introduced both in the Senate and National Assembly seeks to protect personal data against misuse by those processing information.

Several issues have plagued the bill, the largest being that it has taken a long time to receive the President’s signature. The state does not have a robust data protection framework, and the bill is said to make that possible thanks to a series of personal data abuses that Kenyans face time to time. There’s is also an issue of repetitiveness because the bill was being pursued in the two houses, having been presented to members by different representatives.

The Bill has a clause for SMEs, large businesses and corporations that defines how they handle personal data of their customers and clients.

Small businesses, for instance, requested the Communications Authority of Kenya (CA) to exempt them from mandatory registration with the regulator before processing personal data. The exemption, according to SMEs, should allow them to grow.

According to Business Daily, The application has since been rejected by the CA. According to the regulator’s interim Director General Mercy Wanjau, doing so will compromise the security of sensitive information, hence all organizations will be held to the same standards.

It’s still not clear when the Bill will be made into law. At the moment, it’s undergoing examination by the National Committee of Communication Information and Innovation.

The ICT Ministry had requested the Bill to include GDPR-esque definitions before proceeding to the next stages of deliberation. That inclusion would mean multinationals will be forced to abide by the tone set forth by the bill should it be signed into law.