KENYA: DATA PROTECTION IN KENYA – IMPACT ON DUE DILIGENCE AND NAVIGATING THE COMPLIANCE RISKS
The enactment of the Data Protection Act 2019 (DPA) and the entry into effect of the Data Protection (General) Regulations 2021 have created a regulatory framework governing the processing of personal data by data controllers and data processors that are established in Kenya or process personal data of data subjects located in Kenya.
In previous communications, we have considered how the DPA intersects with consumer protection and employment matters. In this newsflash, we turn our focus to the impact of the DPA when conducting legal due diligence.
The key objectives of due diligence are to establish the status of material issues and identify the risks related to investing in or acquiring a business. It involves the investigation of various aspects, including legal standing, regulatory compliance, financing and securities, employees, contracts, litigation, tax, liabilities, fixed assets, movable assets and intangible assets such as intellectual property.
The broader transaction context should be considered during due diligence as well as the particular circumstances relevant to the Target, such as the extent to which processing personal data is key to the Target’s business, the use of personal data before and after the transaction, the transaction structure, and importantly, the applicable data privacy laws.
Due Diligence Scope
Businesses inevitably collect, organise, and store information. If such information contains personal data, these activities would in effect involve the processing of personal data. Adherence to the DPA should therefore be reflected in the processes, operations, and information held by the entity in reference to the due diligence exercise (Target).
If it is established that the Target controls or processes personal data (for example, as will be the case for a company that has employees), it is then necessary to assess whether the Target is compliant with the DPA. This may include mapping the operations of the Target and creating an inventory on the processes used by the Target to collect, record, store, adapt, retrieve, share or otherwise process personal data. In particular, it may involve establishing the following:
- different categories of personal data processed;
- the location of the data subjects;
- the basis on which the Target processes personal data
- the methods / processes of obtaining consent;
- where applicable, the basis on which the Target transfers personal data within and out of Kenya;
- the existence of appropriate safeguards for the protection of personal data including policies;
- whether the Target should be registered as a data controller or data processor with the Office of the Data Protection Commissioner (ODPC).
The above due diligence scope may be expanded or otherwise varied depending on the sector in which the Target operates, the degree to which processing of personal data and sensitive personal data is integral to the Target’s business and the expected standard of compliance.
Addressing identified risks
Once the due diligence is conducted, mitigation measures may be applied to address the privacy compliance gaps identified.
The nature of the Target’s business and its uses of personal data will determine how a data protection compliance risk will be addressed in relation to the proposed merger or acquisition. For instance, a customer database may be one of the most valuable assets of the Target, and a failure to process personal data lawfully could result in the Target having to incur considerable cost in overhauling the ways in which it processes personal data in order to achieve compliance with the DPA. The Target’s valuation or the consideration value may be altered to take into account these rectification costs.
However, before applying remedial measures, it is important to obtain professional advice on the potential impact of the identified risks, and whether it is best to address those risks before completion (such as by including specific conditions precedent to the completion of the transaction), after completion (for instance by setting out the specific contractual obligations to be undertaken upon closing the transaction), through carefully-worded warranties or indemnities in the transaction agreements, or if the risks cannot be adequately mitigated or addressed, the next steps to take.