Most organizations have cited inadequate resources and personnel as a major challenge in their bid to achieve data protection and privacy compliance in line with the Data Protection Act, a new survey shows.
In addition to that, consent management has also proved as a major hindrance to compliance as organizations have found it hard to get information and later use it as proof in case of a dispute in addition to accessing data and identifying the sensitive data that may be needed.
“There was a lack of support from senior and executive management; hence some of these issues trickled down. For example, if you are not allocated adequate resources, then it becomes really hard for you to have a team and be able to implement some of these key initiatives, “said Enid Mwayuli, Manager Cyber Security, Privacy and Trusted Technology at EY Kenya.
The survey further found that data leakage and controlling it from being accessed by third parties within and outside the organization also proved to be another major challenge organizations find even as they try to comply with the Data Protection Act (DPA).
“A Gartner survey report noted that it takes $1,400 (Sh168,476) for organizations to just respond manually to Data Subject Access Request (DSAR) taking note that most difficulties experienced in locating the personal data, monitoring as well as data minimization,” added Mwayuli.
The survey further revealed that Kenya has moderately implemented data protection and regulation, a move backed by the enforcement of the Data Protection Act of 2019.
Of the respondents of the survey, 56 per cent of them had Data Protection Officers (DPO) whereas 44 per cent of them did not have any.
On the other hand, 68 per cent of the organizations that participated in the survey conducted mandatory privacy training awareness for their employees as 32 per cent of them did not embrace the measure.
The survey conducted by Ernst & Young Kenya LLP between February and May 2022 assessed the status of data protection in the country in different organizations ranging from banks, insurance companies, healthcare and Saccos among other sectors.
According to the Data Privacy Act 2019, organizations handling personal data as data controllers and processors are required to be registered by the Office of Data Protection Commission (ODPC).