Under the new Office of the Data Protection Commissioner (ODPC) draft mandates, Kenyan transport operators must move beyond simple registration as data controllers or processors by also appointing a mandatory Data Protection Officer (DPO).
Based on the general provisions of the Data Protection Act 2019 (DPA), it is already mandatory for companies in the crucial sector to register with the OPDC.
What is not mandatory, as per the general regulations, is the establishment of a Data Protection Officer role. Section 24 of the DPA uses the word “may,” suggesting data collectors and data processors have discretion on whether or not to appoint a DPO.
“A data controller or data processor may designate or appoint a data protection officer on such terms and conditions as the data controller or data processor may determine,” reads part of the Act.
Kenya’s Guidance Note on Registration of Data Controllers and Data Processors does not require a DPO to be part of an entity. Part of the note reads, “You may wish to leave the Data Protection Officer section blank.”
These new draft guidelines aim to change this for the transport sector, with the DPO serving as a transport company’s primary point of contact with the ODPC.
“Given the scale of its operations, a company must appoint or designate a DPO. The appointed DPO develops the company’s data protection policy, trains staff on compliance obligations, conducts internal audits, and liaises with the ODPC on regulatory matters,” reads part of the Guidance Note for the Transport Sector.
Since Kenya’s DPA entered into force in November 2019, these are the first-ever data protection guidelines specifically for the increasingly tech-reliant transport sector.
This draft affects the entire transport ecosystem, including matatu SACCOs, logistics firms, ride-hailing apps, and operators across air, rail, and sea.
The draft guidance note clearly outlines the sensitive nature of personal information that Kenyans increasingly have to share as part of their commute, whether short-distance or long-distance.
A transport company processes the personal data of thousands of passengers daily, including booking records, national ID numbers, and payment information.
READ: Kenya Pushes Mandatory Local Data Storage for Ride-Hailing and Booking Apps
Ride-hailing apps can track, in real time, precise locations and infer private information from such data.
Currently, not all transport firms have the infrastructure needed for passengers to access, rectify, or erase their personal information. This systemic deficiency leaves companies vulnerable to committing significant data rights violations.
ODPC Guidance on Data Protection Officer
Essentially, a Data Protection Officer doesn’t have to be a specialized external hire; they can be an existing employee of the organization or even a shared resource across multiple related companies.
If an internal staff member takes on the role, they are permitted to juggle other professional responsibilities alongside their DPO duties, as long as those extra tasks don’t create a conflict of interest.
By law, a group of businesses can appoint a single DPO to serve the entire collective, provided the officer remains readily accessible to each individual entity within that group.
Organizations are required to make their Data Protection Officer’s contact information publicly available on their official website. Lastly, the controller or processor must formally report the DPO’s appointment and contact details to the Data Commissioner.
