A Step-by-Step Guide to Running a Business in Nigeria

Learn the step-by-step guide to running a business in Nigeria, from creating a solid business plan to registering with the CAC and staying legally compliant
The Importance of ISO Certification for AgriBusiness in Kenya

ISO certifications give agribusinesses a well-known framework to tackle these demands, boosting their competitiveness at home and abroad.
Best Practices for GDPR Compliance For Health and Wellness in Nigeria

GDPR compliance for health and wellness is no longer optional for businesses that are targeting international customers.
How to Ensure Data Protection Compliance in Kenya

Are you confident that your business is fully compliant with Kenya’s data protection regulations? In today’s digital world, protecting personal data isn’t just a legal requirement—it’s a responsibility that builds trust with your clients and stakeholders. With the enforcement of Kenya’s Data Protection Act, businesses must take proactive steps to ensure compliance or risk facing serious consequences. Take the WPP Scangroup, for example. In October 2024, the company was ordered to pay damages for mishandling personal data, proving that the Office of the Data Protection Commissioner (ODPC) is serious about enforcing compliance. If a well-established company can face penalties, no business is immune. So, how can you make sure your organization is on the right side of the law? In this guide, we’ll break down the essential steps to achieving and maintaining Data Protection Compliance in Kenya—helping you safeguard personal information, avoid legal trouble, and earn the trust of those you serve. Understanding Data Protection Regulations in Kenya Kenya’s commitment to protecting personal information is stated in the Data Protection Act of 2019. This Act is in line with Article 31(c) and (d) of the Kenyan Constitution, which ensures the right to privacy—a basic human right. Companies are required to get consent from individuals before they can collect, use, or share their personal data. This legislative law ensures that personal data is processed legally, fairly, and transparently, reflecting global norms such as the General Data Protection Regulation (GDPR). For more information about our comprehensive GDPR compliance services, please do not hesitate to contact us. Role of the Office of the Data Protection Commissioner (ODPC) The first Commissioner under Kenya’s Data Protection Act was appointed in November 2020. Let’s take a quick look at what the Commissioner is all about—their main responsibilities, duties, and powers. Here’s a list of them: Key Principles of Data Protection Compliance in Kenya To achieve Data Protection Compliance in Kenya, organizations should focus on the following principles: To learn more, you can also read about the Data Protection Principle. Step-by-Step Guide to Achieving Data Protection Compliance in Kenya Achieving compliance involves a series of strategic actions, here are the following steps to take: 1. Governance, Risk, and Compliance (GRC) Framework Building a strong GRC system that works with the data protection laws that are already in place in different countries. You should also check that company policies and practices comply with both international standards and local regulatory obligations. 2. Data Inventory and Mapping Make a detailed inventory of all the personal information your company gathers and handles, following any applicable data localization guidelines. 3. Legal Basis and Consent Management Identify the legal justification for processing personal data in accordance with Kenya’s data protection laws. Develop strong consent management procedures to guarantee compliance with legal processing and consent withdrawal standards. 4. Data Security and Breach Management Implement suitable technical and organizational safeguards to keep personal information safe from unauthorized access, alteration, disclosure, or destruction. As required by local legislation and GDPR standards, develop procedures for notifying and responding to data breaches. 5. Data Subject Rights and Privacy Policies People are aware of their rights under Kenyan legislation regarding their personal data, including the ability to access, correct, and erase it. Develop clear and transparent privacy rules that outline data processing operations and data subjects’ rights. 6. Awareness and Training Employees should get training on corporate policies, local legal needs, and data protection principles. Create a culture of data privacy awareness to reduce risks and assure continuing compliance. Consequences of Non-Compliance Non-compliance with the Data Protection Act can lead to severe penalties, including fines of up to KShs. 5,000,000 or, in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower. Additionally, individuals may face fines not exceeding KShs. 3,000,000 or imprisonment for up to ten years, or both. Conclusion Ensuring Data Protection Compliance in Kenya is a comprehensive process that requires a thorough understanding of legal requirements and the implementation of effective data management practices. By adhering to the principles outlined in the Data Protection Act and proactively addressing potential risks, organizations can protect personal data effectively, avoid legal repercussions, and build trust with their stakeholders. If you’re facing challenges with data protection compliance, reach out to us at Johan Consults. We’re here to guide you through the necessary procedures. Frequently Asked Questions on Data Protection Compliance in Kenya 1. Who needs to comply with the Data Protection Act in Kenya? Any individual or organization, regardless of location, that processes the personal data of persons residing in Kenya must comply with the Act. 2. What are the key obligations of data controllers and processors? The key obligations are to ensure data is processed lawfully, and collected for the right purposes. 3. Is registration with the Office of the Data Protection Commissioner (ODPC) mandatory? Yes, data controllers and processors are mandatory to register with the ODPC.
GDPR Consent Statement: What It Is and How to Write One

Consent is an important part of human society, particularly the modern one. Whether it’s using a friend’s property or establishing an amorous relationship, “yes” matters a lot. Let’s link this back to data protection. Since it’s implementation, the GDPR places value on consent. This blog post gives answers about consent under the GDPR, what a GDPR consent statement is, and how to write one. What is a GDPR consent statement? In cases where organisations need to obtain consent, it’s vital that the clients or persons are informed. To do that, a GDPR consent statement becomes necessary. A GDPR consent statement is a clear declaration by organisations to get consent from individuals before collecting, processing, and storing their data. This is in accordance with the General Data Processing Regulation (GDPR). What is the GDPR? On may 25, 2018, the European Union decided it was time to toughen up data protection. And so the GDPR came to be. The General Data Protection Regulation (GDPR) is the most comprehensive law for data protection in the world, with many adaptations of it. For example, the NDPA (Nigerian Data Protection Act) The goal of the law is to grant data subjects (owners of data) more control over their data and it’s processing. majorly, the GDPR focusses on personal data and sensitive data. Under the EU regulation, personal data refers to information that identifies an individual,e.g, name, age, job, etc. while sensitive data under the GDPR include vulnerable data such as bank details, National Identification Number, health status, etc. The Basic Principles of the GDPR : Who does the GDPR apply to? The GDPR applies to any organizations that When it comes to punishing the non-compliant, the General Data Protection Regulation earned it’s reputation as the strictest data protection law. For example, the Italian data protection authority, the Garante, issued its largest GDPR fine of over €79 million against ENEL Energia for telemarketing misconduct. So, you don’t want to get on the wrong side of the law. Need help with GDPR compliance? Book a free consultation with our experts at Johan Consults. Consent and the GDPR The GDPR places a lot of importance on data subject consent to data processing. Although consent is one of the lawful basis for processing data, it’s not compulsory. What does that mean? A common myth of the GDPR is that you always need consent to process data. That’s not true. In fact, you can find other reasons if consent proves hard to get. Consent is only appropriate when you are sure you can stop processing when the subject opts out. Because it would be terrible if you went ahead to process data even when the individual said now. Also, consent as a precondition of a service may not be lawful So, if you can process data legally without consent, go ahead. Otherwise, you might face harsh penalties for wrong consent practices. What is valid consent? The GDPR places utmost priority on consent and how it’s gotten. Here’s what the GDPR considers valid consent. Consent given freely; this is very important. With no form of coercion or similar acts. The individual must have genuine choice and control over their data—no hanky-panky. The consent includes the data controller’s identity, processing purpose, and the procedure for processing. Valid explicit consent must be communicated in words, and consent requests must be clear and unbundled from other information. That way, it’s easily identified. So, what’s the importance of a GDPR consent statement? The following are reasons to use a GDPR consent statement Example of a GDPR Consent Statement The example below serves as a perfect depiction of a GDPR-compliant consent statement. Let’s measure it against the key features of a consent form. “By checking this box, I consent to Techdella collecting and processing my personal data for the purpose of receiving newsletters, marketing materials, and service updates. I understand that my data may be shared with third-party partners for analytics and marketing purposes. I also acknowledge that I have the right to withdraw my consent at any time by contacting support@techdella.com, and I can request access to, modify, or delete my data. For more details, see our Privacy Policy.” The key elements of a GDPR consent statement Purpose: A clear explanation of why data is collected and how it’ll be used—’for the purpose of receiving newsletters, marketing materials, and service updates.’ Data sharing: whether data will be shared with third- parties and “may be shared with third-party partners for analytics and marketing purposes.”. User rights: The consent statement must inform individuals about their rights, such as access, rectification, and consent withdrawal. – “The right to withdraw my consent at any time by contacting support@techdella.com, and I can request access to, modify, or delete my data.” Clear action: it must have an an opt-in mechanism like a checkbox for explicit consent. – “By checking this box, I consent.” Contact details: Lastly, a valid consent statement must provide contact details for data protection. – “support@techdella.com” How To Write a GDPR Consent Statement Since you know what a consent statement should contain for valid consent, here’s a step-by-step guide to writing a compliant GDPR consent statement. State clearly the purpose for which you’re collecting data. Be very specific; is it for marketing, analytics, or whatever? Also, if there are more reasons than one, make sure to state them separately. This ensures enough clarity. Ensure users take explicit actions to give their consent. Examples: clicking a button, checking a box. Note: pre-checked boxes aren’t acceptable. Importantly, avoid implied consent, like continuing to use a website as a form of acceptance. If you’ll share the data with a third party for any reason, include who they are and what they do, together with the reason why. Additionally, if data transfers will happen, let them know where to and how the data will be protected. Your consent statement must include how long you will store data and what will be done once it’s not needed anymore. Include the following rights of individuals in it: Make sure to provide instructions on how users
Top 12 GDPR requirements you must know in 2024

Top 12 GDPR requirements you must know in 2024 Towards the early 2000s, the European Union realised the need to regulate data protection and security. Although some other factors were involved, the fast rise of the internet became the final push for a data protection regulation. This brought about the implementation of the GDPR. On May 25, 2018, the General Data Protection Regulation (GDPR) came into existence. The main goal of the GDPR is to give data subjects (owners of data) more control and protection over how their data is collected, processed, used, and stored by organisations. An important point to note is that the GDPR applies to every organisation that operates in the EU or handles data belonging to an EU citizen, wherever they are. Now, there are several GDPR requirements for organisations, and this article provides a summary of them. Lawful, fair, and transparent processing Shouldn’t be hard, right? Yes, it sounds straightforward, but according to IT Governance UK, it’s the most violated GDPR requirement. Article 5 of the GDPR mandates every organisation handling data to have a legal reason to do so. Meaning, you can’t collect, process, and store personal information for any random purpose. To know if your processing is lawful, check it against the GDPR’s lawful basis for processing. For data processing transparency, you should communicate clearly your ways of processing, in addition to the lawful reasons, to the data subjects. For this, you should make privacy notices and ensure data owners have easy access to it. Purpose limitation This requirement addresses another issue. With this, every organisation can process data for the lawful purpose clearly stated ONLY. This means that you cannot process collected data for reasons beyond the initial purpose. Data minimisation Isn’t it better to collect all the data you can get from each subject in one go? While it sounds reasonable, the GDPR kicks against it. You can only collect data necessary for the stated purpose. For instance, in research for the average height of males, the HIV/AIDS status of the subject isn’t needed. As such, you shouldn’t collect it. Accuracy No organisation should keep or process incorrect data. As such, data accuracy under the GDPR is mandated and effective immediately upon discovery. Storage limitation There‘s a limit to how long an organisation’s keep data after processing. Of course, there are unique timeframes for each type of data. In summary, data retention under the GDPR cannot be longer than necessary. Integrity and confidentiality The GDPR states that organisations must implement technical measures to ensure data security. Such methods include encryption, data masking, etc. Accountability Yes, the GDPR requires absolute compliance by organizations. And so they have to show proof of their compliance. Struggling with GDPR compliance? Contact Johan’s Consult now for a free 1-1 consultation.Data Subject Rights Since the goal of the data protection regulation is to give subjects more control, it makes sense that there are GDPR rights for individuals. The right to be informed Entities (organisations) must tell individuals what data is collected, how it’ll be processed, and the purpose. And these must be communicated clearly in plain language. Right to rectification Should the data subject discover any inaccuracies in its data, he/she can request that the organisation correct it. Now, the organisation has a month to rectify the inaccuracy. But there are exceptions. The right to access An individual can demand a copy of his/her personal data. Once the individual submits DSARS (data subjects access requests), the organisation has one month to oblige the request. Right to erasure Under certain circumstances, individuals can ask organisations to delete their data permanently. For example, cases of unlawful processing and when the data is no longer necessary. Right to data portability Individuals can obtain and reuse their personal data for personal reasons. This right is for data given to the organisation through contract or consent. The right to object When organisations want to process data for lawful reasons, they give subjects the right to object to the processing. Unless they have valid reasons not to, organisations must stop processing when individuals exercise this right. Want to learn how to write a GDPR-compliant consent statement? Click here. Privacy by design This concept has been around for awhile. Although it used to be a best practice for data protection, the GDPR mandates it for every organisation. This requirement mandates organisations to implement technical and organisational measures to ensure data protection and Use security measures to implement the GDPR principles. To help you track your compliance journey, make use of this checklist. Data transfers In the event that an organisation needs to transfer data between borders, the GDPR requires additional steps. However, if you’re moving data within the EU, you’re exempt from extra requirements. For data transfers with third-party countries—outside the EU—Article 46 outlines protection steps. Basically, this situation’ll need an SCC (standard contractual clauses). An SCC is used for data transfers between an EU country and a third-party country. Data protection impact assessment A DPIA (Data Protection Impact Assessment) helps organisations identify and reduce risks associated with data processing. It’s required in situations where sensitive information or data of vulnerable persons’ is processed. Article 35 of the GDPR speaks on the concept of DPIA and states that it is required where data processing “is likely to result in a high risk to rights and freedom of natural persons.”. The regulation does not explicitly define high risk, but it generally refers to the use of: systematic and extensive profiling; Special category or criminal offence data on a large scale; and Systematic monitoringof publicly accessible places on a large scale For a better grip on GDPR compliance, you can use GDPR compliance software. Data protection officer A DPO (Data Protection Officer) is an individual trained in the technicalities of data protection who helps organisations with data protection in compliance with data protection regulations. Article 39 explains the roles of a data protection officer (DPO). highlights include: advising and training staff on their data protection responsibilities; Monitoring the organisation’s data protection policies and procedures; Overseeing