Friday, March 29, 2024

PwC urges NPOs to Strengthen their data protection programs due to increased data privacy and regulatory risk

Due to the large amounts of personal information NPOs collect and process, PwC:

  • urges NPOs to comply and familiarise themselves with the Data Privacy Act to mitigate risks of non-compliance
  • warns that leakages could spark violence in situations of prosecution or stigma for beneficiaries whose data is accidentally disclosed
  • noted an increase in introduction and implementation of data privacy laws in Africa

8th December 2021 Nairobi, PricewaterhouseCoopers Limited (PwC) has urged Not-for-Profit Organisations (NPOs) to embed the principles of data protection into their operations and data governance practices to mitigate the risks of non-compliance with the law.

Speaking in a webinar on “Data Protection and Privacy in the NPO sector” the firm noted that it is imperative for organisations in the sector to consider the way they process the personal data they collect from individuals and to ensure that this complies with the requirements of the Data Privacy Act.

In discussing some of the technical and organisational measures the NPO sector can implement to manage data privacy risks, Joe Githaiga, PwC Kenya’s Head of Legal & Regulatory Compliance Advisory, highlighted measures such as: appointing data protection officers (DPOs); conducting data protection impact assessments (DPIAs); developing data privacy statements and policies; and undertaking data mapping to understand the type of personal data they process.

How big Firms reap big from Corporate Social Responsibility

In the same vein, Edward Kerich, Engagement Partner at PwC, noted the key challenges facing the NPO sector while collecting or processing personal data such as language barriers, vulnerability of data subjects, and large-scale data security risks such as leakages that could spark violence in situations of prosecution or stigma for beneficiaries whose data is accidentally disclosed. Mr Kerich also encouraged the NPOs to set up data incident management tools and security tools in place to comply with the data privacy laws.

Peter Ngahu, PwC’s Regional Senior Partner (RSP) noted the increase in the introduction and implementation of data privacy laws on the African continent, which indicates that this is set to be a material regulatory risk theme in the region. Most of the newly introduced laws were modelled on the EU’s General Data Protection Regulation (“GDPR”), which sets the benchmark for global data privacy laws.

NPOs play a significant role in building strong communities by providing critical services that contribute to economic stability and mobility. They rely heavily on collection of data for the provision of humanitarian assistance which includes information relating to nutrition, housing, health services, legal aid, interpretation, and education which results in the continuous processing of individual (beneficiaries’ data).

Typically, this data is stored in both paper copies and digital form and consists of records of services received, family details, photographs, health data, names of the beneficiaries and so on. Apart from the operational value of collecting data, this information may provide insights into the beneficiaries’ needs and the type of assistance required. Additionally, data analysis may support risk assessments and facilitate the identification of vulnerable cases based on previously identified patterns and personal characteristics.

The collection of data from individuals in the context described above gives rise to concerns about the privacy of their information, which is guaranteed under the Constitution of Kenya, and how the collecting organisations safeguard this data.

The Kenyan Data Protection Act 2019 (“DPA”) sets out a detailed legal and regulatory framework for giving effect to the constitutional guarantee of privacy and protecting that personal data of individuals in Kenya. The DPA regulates the processing of personal data, provides for the rights of data subjects, and further lays down the obligations of data controllers who are basically organisations or natural persons who process personal data.

Conclusion

The right to privacy is a fundamental constitutional right of the individual and the protection of their personal data is therefore a core obligation of organisations which collect personal data. As with all other organizations, NPOs need to familiarise themselves with the requirements of the DPA and the obligations imposed on them under this law. This is imperative if NPOs are to enhance trust from the individuals they deal with, maintain their reputation and avoid legal liability arising from breach of the data privacy laws.

Connect With Us

320,550FansLike
14,108FollowersFollow
8,436FollowersFollow
1,880SubscribersSubscribe

Latest Stories

Related Stories