Why data privacy is still a minefield for Kenyan companies

Only 36 per cent of Kenyan companies are aware of privacy laws governing their business processes, despite the Data Protection Act being in effect since 2019, a new survey has disclosed.

 The survey, conducted by WorldWideWorx and commissioned by global technology company Zoho, also reveals that even though businesses are concerned about the privacy of customer data in the hands of third-party vendors, they rely on them for revenue generation and gathering consumer insights.

 According to WorldWideWorx chief executive Arthur Goldstuck, the lack of awareness about the law in ‘Silicon Savannah’ is largely because the data law is not part of “business-critical activities” like taxation and licensing.

 However, 77 per cent of the businesses indicated that they have well-documented policies for customer data protection, although only 56 per cent are strictly applying them.

 “Businesses in Kenya consider themselves digitally advanced, with 28 per cent of respondents saying they were completely digital and 18 per cent noting they were close to being completely digital,” he told Smart Business.

 Of the 352 businesses surveyed across various industries and sizes in Kenya, 58 per cent said they allow third-party trackers on their website, mostly for sharing content on social media (64 per cent), tracking affiliate relationships (45 per cent) and ad campaigns (43 per cent).

Digital ad platforms

 “There is also a heavy dependence on digital ad platforms. The respondents believe that keyword search ads, at 36 per cent and social media ads (62 per cent) were quite effective for customer conversion,” the study shows.

Eight-four per cent of businesses said the third-party ad platforms also help them meet sales targets.  Given this overreliance on third-party vendors, it is no wonder then that, even though 56 per cent of businesses express concern over the use of their customer's data, they are largely either 'comfortable' or 'neither comfortable nor uncomfortable' with the platforms.

 Even the 10 per cent who are uncomfortable state they cannot move away from the platforms as they are crucial to their business or that it is too complex to move away.  Interestingly, 24 per cent of businesses reported that they do not completely understand how third-party vendors utilise their customer information.

 “When businesses choose to use a free tracker, they are paying for it with their consumer's data," said Andrew Bourne, regional manager for Africa, Zoho.

 He added that presently, Kenyan businesses turn a blind eye to this passive data collection by trackers, most likely because they are dependent on them for revenue.  “However, consumers will eventually trust companies with transparent privacy policies that protect their personal information. Businesses hoping to stay relevant in the long term will need to either rethink their reliance on third-party platforms or demand greater transparency and accountability from them.”

  Kenyan businesses believe that the data law, one of the first in Africa, either has had no effect (46 per cent) or a positive effect (39 per cent).  Their biggest concerns with the law are increased cost of governance at 45 per cent, increased complexity at 27 per cent and the loss of analytics data at 29 per cent.

Share customer data

 Globally, the motivation to share customer data has been around, earning more revenue when third parties purchase the data, while consumers are inspired by getting the technology for free.

 However, some companies do not disclose or clearly tell users which personal data is collected and which one is sold, or shared, with a third party.

 “There are numerous websites that allow users to view the information that is collected or shared, but it should be the businesses’ responsibility to be transparent about the data they collect and who they sell or share it with,” Mr Bourne told Smart Business.

 Kenya’s Data Commissioner Immaculate Kassait says efforts are being put to create digital business awareness to the public, with regard to the use of personal data.    “The Office of the Data Protection Commissioner has prioritized measures to ensure that the processing of personal data including the use of AI, 5G, Internet of Things and other new technologies is carried out within the law,” she said.

 While noting that these technologies present policy, legal and regulatory challenges, Ms Kassait explained that among the measures her office is taking is allowing the public to report data breaches through an online portal.

 “We are implementing a framework for data breach complaint resolution and another one for carrying out periodic system audits to ensure compliance.”

 While African governments are slowly appreciating the critical nature of protecting their citizens’ data, only a few seem to be making huge strides towards data protection.  The question of consent from customers in how their data is used has dominated global debates.