While some African countries have enacted personal data protection laws, just as many nations either have pending privacy legislation that has not yet been implemented, or have not even gotten to the stage of preparing drafts of such rules. It's a confusing situation for CISOs and other enterprise tech executives, especially those who do business internationally.\nAlmost half of the 54 countries in Africa have either draft laws not passed by government or no legislation at all, according to UNICTAD\u2019s Data Protection and Privacy Legislation Worldwide map. And often, those that have passed data protection rules are not implementing them.\nKenya, for example, passed data protection regulations two years ago and established the Office of the Data Protection Commissioner, but data protection rules have not been strictly enforced. Most organisations are yet to comply with the requirements. Savings cooperatives \u2014 savings and credit cooperative organizations or SACCOs \u2014 which deal with a lot of customer information, are yet to put measures to protect personal data, according to recent research by cybersecurity firm Serianu.\nAccording to the law, SACCOs need to get a customer\u2019s consent to use their information, especially with third-party entities. At the moment, though, the SOCCOs are not ready for compliance with the law. But it is not only the SACCos. Businesses across Africa need to get ahead of legislation using proven market practices.\nA paper released by the US International Trade Commission notes the largely unenforced laws across the continent. \u201cMany of these regulations are currently in the process of being developed: in some cases, regulatory authorities to enforce data standards have not been created or staffed. As a result, firms may not have yet changed their data practices even in countries with data protection regulations in force," the report says.\nThe situation means that CISOs and other technology leaders operate in an uncertain legal climate, for example wondering how quickly they need to prepare for laws or draft rules that have not yet been implemented, or doing business in different countries that are at various stages of drafting data privacy legislation. \u00a0\nAfrica-based companies that do business in the EU or with EU companies also need to adhere to GDPR regulations, whether or not their own national governments have implemented data privacy rules.\nIn the face of such complications there are various steps CISOs and other tech leaders can take to start getting their businesses in shape to deal data laws and consumer security concerns. Here are four ways to get ahead:\nAppoint a data officer\nFor most enterprises, appointing a data officer would be a logical start toward ensuring compliance with data protection laws. Data-officer duties might fall on the laps of CIOs, but top tech executives can also train and appoint to put in place policies that align with data protection legislation.\n\u00a0\u201cEssentially, the role of a data officer is to ensure employees use collected personal data for the purpose it was collected for and enforce appropriate data governance strategies,\u201d said George Mutune, a Nairobi-based cybersecurity specialist at Ignyte Assurance Platform.\nMonitoring the collection, use, and transmission of personal identifies missing privacy protection requirements stated in various laws, Mutune said. Data officers monitor privacy protection regulations to advise organisations of related compliance requirements .\nConsolidate of data\nIt is paramount to know where collected data is residing to be able to protect it. There are many data inlets in an organisation, and having this visibility is a prudent way of managing personal information. Mutune says that using legacy technologies to access, process and store data may land customer information in various silos.\n\u201cAs a result, [organisations] \u00a0may not have full visibility of the collected data, thus inhibiting their ability to protect it. Data consolidation is an effective practice that can help them implement missing privacy protection requirements to comply with different regulations,\u201d Mutune said.\nAs tedious as it is, consolidation or visibility of data can ease the compliance process for companies.\nRetention of data is also an aspect of international privacy laws like GDPR. Visibility could give enterprises the power to ascertain how long they would need a particular piece of personal data.\nReevaluate cybersecurity measures\nOne way personal information can be abused is through cyber breaches of databases. According to an analysis by Deloitte on the Data Protection Act in Kenya, data controllers and processors are required to establish and maintain security safeguards to protect personal data.\nAccording to the analysis, to minimise risks of data leaks, processors are advised to collect only the amount of data they need for their processes and keep identifiers minimal. Furthermore, investing in the state of the art cybersecurity products, employing techniques that would safeguard the integrity of personal data and having periodic audits, can help organisations minimise breach possibilities within their systems.\nAnonymize data\nWhen necessary, policies that encourage data anonymisation can enable companies to use data without exposing it to a breach.\nThe leading telecom company in Kenya, Safaricom, is changing this by introducing a feature that will hide customers\u2019 information using the C2B payment product, Lipa na MPesa. There have been calls for the company also to digitise the MPesa deposit and withdrawal process. Currently MPesa agents maintain a physical registry, which is prone to abuse.\n\u201cThe primary objective of data anonymisation is to eliminate the possibility of associating the information with a single individual, hence reducing privacy violation risks significantly,\u201d Mutune said.\nWork locally, thinking globally\nWhen it comes to privacy laws, international boundaries are invisible. It is good to take into account what policies might affect an enterprise beyond where it is stationed.\n"The GDPR is a global regulation implemented in numerous organisations worldwide. Therefore, understanding compliance practices and requirements can assist African companies in maintaining compliance with current privacy laws," Mutune said.\nHe added that such compliance could propel local companies and enterprises to compete globally without the risks of infringing on privacy laws.\nAnother aspect of \u201cthinking globally\u201d is to consider the services and products a company buys and ensure that they are in line with all the laws so as not to be exposed to litigation.\nThe time to start data protection efforts is now \nIt might take time for enterprises to comply with data protection laws and proposed legislation that has not yet been implemented. But this does not prevent them from starting to chart ways to ensure personal information is protected. It begins with a change of management thinking on how they should engage with customer data.\nFor some companies, it might be costly to put in place appropriate tools and measures. However, locally and internationally, legislation will compel organisations to put in place policies for personal data protection.