Why NPOs must embrace data protection programmes
PricewaterhouseCoopers Limited (PwC) has urged Not-for-Profit Organisations (NPOs) to embed the principles of data protection into their operations and data governance practices to mitigate the risks of non-compliance with the law.
Speaking in a webinar on “Data Protection and Privacy in the NPO sector” the firm noted that it is imperative for organisations in the sector to consider the way they process the personal data they collect from individuals and to ensure that this complies with the requirements of the Data Privacy Act.
Joe Githaiga, PwC Kenya’s Head of Legal & Regulatory Compliance Advisory, highlighted measures such as: appointing data protection officers (DPOs); conducting data protection impact assessments (DPIAs); developing data privacy statements and policies; and undertaking data mapping to understand the type of personal data they process.
In the same vein, Edward Kerich, Engagement Partner at PwC, noted the key challenges facing the NPO sector while collecting or processing personal data such as language barriers, vulnerability of data subjects, and large-scale data security risks such as leakages that could spark violence in situations of prosecution or stigma for beneficiaries whose data is accidentally disclosed.
Kerich also encouraged the NPOs to set up data incident management tools and security tools in place to comply with the data privacy laws.
Peter Ngahu, PwC’s Regional Senior Partner (RSP) noted the increase in the introduction and implementation of data privacy laws on the African continent, which indicates that this is set to be a material regulatory risk theme in the region. Most of the newly introduced laws were modelled on the EU’s General Data Protection Regulation (“GDPR”), which sets the benchmark for global data privacy laws.
NPOs play a significant role in building strong communities by providing critical services that contribute to economic stability and mobility.
They rely heavily on collection of data for the provision of humanitarian assistance which includes information relating to nutrition, housing, health services, legal aid, interpretation, and education which results in the continuous processing of individual (beneficiaries’ data).
Typically, this data is stored in both paper copies and digital form and consists of records of services received, family details, photographs, health data, names of the beneficiaries and so on. Apart from the operational value of collecting data, this information may provide insights into the beneficiaries’ needs and the type of assistance required.
Data analysis may support risk assessments and facilitate the identification of vulnerable cases based on previously identified patterns and personal characteristics.
The collection of data from individuals in the context described above gives rise to concerns about the privacy of their information, which is guaranteed under the Constitution of Kenya, and how the collecting organisations safeguard this data.
The Kenyan Data Protection Act 2019 (“DPA”) sets out a detailed legal and regulatory framework for giving effect to the constitutional guarantee of privacy and protecting that personal data of individuals in Kenya.
The DPA regulates the processing of personal data, provides for the rights of data subjects, and further lays down the obligations of data controllers who are basically organisations or natural persons who process personal data.