Guidance Note on Data Protection Impact Assessments in Kenya
In the first half of this series (see part I on the General Regulations, part II on the Registration Regulations and Part III on the Complaints Handling Procedure and Enforcement Regulations), we discussed the regulations issued under the Data Protection Act, 2019 (DPA). With these regulations in force, the Office of the Data Protection Commissioner (ODPC) will now begin operationalising some of the more specific obligations under the DPA such as registration.
To give data controllers, data processors and data subjects a more detailed insight into how some of the processes under the DPA will be administered, the ODPC issued two guidance notes and a manual in early 2021. These are: the Guidance Note on Consent, the Guidance Note on Data Protection Impact Assessments (DPIA Guidance Note) and the Complaints Management Manual. In the second half of this series, we focus on these non-binding guiding documents. We begin in this article by focusing on the DPIA Guidance Note.
Data Protection Impact Assessments (DPIAs) are required under the DPA where processing activities are likely to pose a high risk to data subjects’ rights. The DPIA Guidance Note delves into the specifics of how to conduct a DPIA and even provides a form to guide data controllers and data processors.
