5 things for African CIOs to do in the vacuum of data privacy laws

The legal regime for data protection in Africa is fragmented, with only about half of nations in the region enforcing data privacy laws. Here are 5 step CIOs and other tech execs can take to deal with a complicated legal situation.

face superimposed on keyboard privacy hacker

While some African countries have enacted personal data protection laws, just as many nations either have pending privacy legislation that has not yet been implemented, or have not even gotten to the stage of preparing drafts of such rules. It's a confusing situation for CISOs and other enterprise tech executives, especially those who do business internationally.

Almost half of the 54 countries in Africa have either draft laws not passed by government or no legislation at all, according to UNICTAD’s Data Protection and Privacy Legislation Worldwide map. And often, those that have passed data protection rules are not implementing them.

Kenya, for example, passed data protection regulations two years ago and established the Office of the Data Protection Commissioner, but data protection rules have not been strictly enforced. Most organisations are yet to comply with the requirements. Savings cooperatives — savings and credit cooperative organizations or SACCOs — which deal with a lot of customer information, are yet to put measures to protect personal data, according to recent research by cybersecurity firm Serianu.

According to the law, SACCOs need to get a customer’s consent to use their information, especially with third-party entities. At the moment, though, the SOCCOs are not ready for compliance with the law. But it is not only the SACCos. Businesses across Africa need to get ahead of legislation using proven market practices.

A paper released by the US International Trade Commission notes the largely unenforced laws across the continent. “Many of these regulations are currently in the process of being developed: in some cases, regulatory authorities to enforce data standards have not been created or staffed. As a result, firms may not have yet changed their data practices even in countries with data protection regulations in force," the report says.

To continue reading this article register now

Download CIO's Roadmap Report: 5G in the Enterprise