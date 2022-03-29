The Data Protection Act 2019 defines a personal data breach as one of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Communications Authority of Kenya data reveals that there were more than 56 million cyber threats in 2020 and 37.1 million in 2019. Kenyans need awareness on the risks posed to personal data by new technological platforms and how novel solutions could help to ameliorate the risks.

Kenyans are alive to the risk or threat of data breaches from unauthorised access to, or hacking of cloud storage facilities, like the servers and network systems that store personal data; and also the risk or threat of automatic data storage or processing without informed consent from users.

Solutions include blockchain technology, one of the key safeguards against computer hacking and breaches of personal data. A blockchain is “a public and shared database that records transactions between two parties”. A blockchain document or transaction is confirmed and cryptographically verified by other participants or nodes in the network and then made into a ‘block’ on the blockchain.

Blockchain

However, there are concerns that, first, blockchain could potentially breach the law, which guarantees data subjects the right of erasure or to be ‘forgotten’. The right of erasure allows one to request data controllers and processors to remove certain undesirable information that they would like to forget.

The second is privacy by design or privacy by default. Data laws require organisations to embed or enable privacy-enhancing technology at the design stages of their processing systems. That means they must work with software vendors. Examples include applications that could facilitate access to data on request by data subjects, as guaranteed by law.

A privacy feature could facilitate the right of data subjects to request the correction of inaccurate data held by the controller—as guaranteed by the right to rectification conferred by the law. Or a privacy-enhancing feature could enable a data subject to exercise their right to request the removal of unsavoury information as guaranteed by the right to erasure.

Impact assessment

Thirdly, data protection impact assessment requires data controllers to be aware of the technological environments in which they operate. Data laws require Data controllers and processors must carry out impact assessments of the risks posed by their processing systems to data subjects. In some cases, a special risk assessment form, a ‘data protection impact assessment (DPIA) form’, will be required, if the processing activities are “likely to result in high risk to the rights and freedoms of natural persons”.

It is critical that data controllers and data protection officers are aware of the duality of technological platforms and their potential to simultaneously threaten and protect personal data.