This article is taken directly from the source cited

Published Tuesday, September 25, 2018 20:54

By Njoki Kamau and Munga Ndichu

 

With the ushering of the European Union’s General Data Protection Regulations (GDPR), on May 25, 2018, several companies within the bloc have been compelled to adjust to ensure that any data they handle is well secured.

Locally, the big question that lingers in the minds of service providers is whether the GDPR has found its tentacles in the country and if so, how best can they find the delicate balance between protectingthe rights of their customers vis-a-visensuring that their daily operations are not crippled.

Article 3 of the GDPR has widened the territorial scope of the regulation. It states that, the regulation applies to the processing of personal data of data subjects(individuals) who are in the EU by a controller (any company) not established in the Union.

This is specific to processing activities which are related to the offering of goods and services, irrespective of whether payment by the data subject is required. Additionally, it applies to the monitoring of behaviour of data subjects as far as this is within the EU.

The scope gets wider as the Article further provides that, the Regulation applies to the processing of personal data by a controller not established in the Union but in a place where the National Law of a Member state applies by virtue of Public International Laws such as an Embassy.Additionally, Article 25 imposes a duty on any organisation outside the EU which falls under the GDPR regime because of its activities, to appoint a representative in that member state. The representative will be a point of contact for the entity’s Data Protection Officer. However, this does not apply to entities whose data processing activities are occasional and do not include large scale processing of sensitive data.

What does this mean for Kenya? In a nutshell, an organisation does not need physical presence in the EU to be GDPR compliant. As long as a locally incorporated company or a subsidiary collects and stores information of a citizen of any EU member state in whatever form, then compliance is no longer optional.

If a company has employees or customers based in Europe then it must be GDPR compliant.The rules require any company that collects and stores data on any EU citizen to justify why they are storing this information as well as to explain what they’ll use the data for. Companies are also required to document the user giving them consent to store their data.

Additionally, companies are required to provide all stored information on a user, should the user ask for it and delete the same information (including backups) should a user want to be “forgotten”. 

Local businessest must tread cautiously; Continue reading...

Source: Business Daily

amcham

Upcoming event on 15th December.

Lorum Ipsum is dummy text. Lorum Ipsum is dummy text. Lorum Ipsum is dummy text. Lorum Ipsum is dummy text. Lorum Ipsum is dummy text. Lorum Ipsum is dummy text.

Click here to see full details.