5 things for African CIOs to do in the vacuum of data privacy laws

While some African countries have enacted personal data protection laws, just as many nations either have pending privacy legislation that has not yet been implemented, or have not even gotten to the stage of preparing drafts of such rules. It’s a confusing situation for CISOs and other enterprise tech executives, especially those who do business internationally.

Almost half of the 54 countries in Africa have either draft laws not passed by government or no legislation at all, according to UNICTAD’s Data Protection and Privacy Legislation Worldwide map. And often, those that have passed data protection rules are not implementing them.

Kenya, for example, passed data protection regulations two years ago and established the Office of the Data Protection Commissioner, but data protection rules have not been strictly enforced. Most organisations are yet to comply with the requirements. Savings cooperatives — savings and credit cooperative organizations or SACCOs — which deal with a lot of customer information, are yet to put measures to protect personal data, according to recent research by cybersecurity firm Serianu.

According to the law, SACCOs need to get a customer’s consent to use their information, especially with third-party entities. At the moment, though, the SOCCOs are not ready for compliance with the law. But it is not only the SACCos. Businesses across Africa need to get ahead of legislation using proven market practices.

A paper released by the US International Trade Commission notes the largely unenforced laws across the continent. “Many of these regulations are currently in the process of being developed: in some cases, regulatory authorities to enforce data standards have not been created or staffed. As a result, firms may not have yet changed their data practices even in countries with data protection regulations in force,” the report says.

The situation means that CISOs and other technology leaders operate in an uncertain legal climate, for example wondering how quickly they need to prepare for laws or draft rules that have not yet been implemented, or doing business in different countries that are at various stages of drafting data privacy legislation.  

Africa-based companies that do business in the EU or with EU companies also need to adhere to GDPR regulations, whether or not their own national governments have implemented data privacy rules.

In the face of such complications there are various steps CISOs and other tech leaders can take to start getting their businesses in shape to deal data laws and consumer security concerns. Here are four ways to get ahead:

Appoint a data officer

For most enterprises, appointing a data officer would be a logical start toward ensuring compliance with data protection laws. Data-officer duties might fall on the laps of CIOs, but top tech executives can also train and appoint to put in place policies that align with data protection legislation.

 “Essentially, the role of a data officer is to ensure employees use collected personal data for the purpose it was collected for and enforce appropriate data governance strategies,” said George Mutune, a Nairobi-based cybersecurity specialist at Ignyte Assurance Platform.

Monitoring the collection, use, and transmission of personal identifies missing privacy protection requirements stated in various laws, Mutune said. Data officers monitor privacy protection regulations to advise organisations of related compliance requirements .

Consolidate of data

It is paramount to know where collected data is residing to be able to protect it. There are many data inlets in an organisation, and having this visibility is a prudent way of managing personal information. Mutune says that using legacy technologies to access, process and store data may land customer information in various silos.

“As a result, [organisations]  may not have full visibility of the collected data, thus inhibiting their ability to protect it. Data consolidation is an effective practice that can help them implement missing privacy protection requirements to comply with different regulations,” Mutune said.

As tedious as it is, consolidation or visibility of data can ease the compliance process for companies.

Retention of data is also an aspect of international privacy laws like GDPR. Visibility could give enterprises the power to ascertain how long they would need a particular piece of personal data.

Reevaluate cybersecurity measures

One way personal information can be abused is through cyber breaches of databases. According to an analysis by Deloitte on the Data Protection Act in Kenya, data controllers and processors are required to establish and maintain security safeguards to protect personal data.

According to the analysis, to minimise risks of data leaks, processors are advised to collect only the amount of data they need for their processes and keep identifiers minimal. Furthermore, investing in the state of the art cybersecurity products, employing techniques that would safeguard the integrity of personal data and having periodic audits, can help organisations minimise breach possibilities within their systems.

Anonymize data

When necessary, policies that encourage data anonymisation can enable companies to use data without exposing it to a breach.

The leading telecom company in Kenya, Safaricom, is changing this by introducing a feature that will hide customers’ information using the C2B payment product, Lipa na MPesa. There have been calls for the company also to digitise the MPesa deposit and withdrawal process. Currently MPesa agents maintain a physical registry, which is prone to abuse.

“The primary objective of data anonymisation is to eliminate the possibility of associating the information with a single individual, hence reducing privacy violation risks significantly,” Mutune said.

Work locally, thinking globally

When it comes to privacy laws, international boundaries are invisible. It is good to take into account what policies might affect an enterprise beyond where it is stationed.

“The GDPR is a global regulation implemented in numerous organisations worldwide. Therefore, understanding compliance practices and requirements can assist African companies in maintaining compliance with current privacy laws,” Mutune said.

He added that such compliance could propel local companies and enterprises to compete globally without the risks of infringing on privacy laws.

Another aspect of “thinking globally” is to consider the services and products a company buys and ensure that they are in line with all the laws so as not to be exposed to litigation.

The time to start data protection efforts is now

It might take time for enterprises to comply with data protection laws and proposed legislation that has not yet been implemented. But this does not prevent them from starting to chart ways to ensure personal information is protected. It begins with a change of management thinking on how they should engage with customer data.

For some companies, it might be costly to put in place appropriate tools and measures. However, locally and internationally, legislation will compel organisations to put in place policies for personal data protection.