Immaculate Kassait
  • Commissioner
  • Office of the Data Protection Commissioner
Immaculate Kassait

Immaculate Kassait

  • Commissioner
  • Office of the Data Protection Commissioner

Immaculate Kassait was appointed Kenya's first Data Commissioner in late 2020, a significant step in the country's privacy regime. GDR asked: What are your main takeaways from the job over the last year or so, and what are you focusing on for the future?

New field, high expectations. We started from a point of lack of understanding on data privacy and very high public expectation on the Office of the Data Protection Commissioner, yet matters of data privacy are both at an individual or organisational level.

A data sharing culture: With more people sharing personal data on both social media and other digital platforms, there’s a need to draw a balance between commercial interest and human interest, whilst promoting data privacy.

New office: There was need to develop an institutional framework to start off on the right foot. To this end our office first developed a one-year operational plan to set things rolling and later on borrowed lessons from it, and developed a three-year strategy.

Need for human capital and financial resources: As a new office, we had a limited number of staff and finances to roll out our plan. The office is in the process of recruiting over 90 staff to support the work for the next two years, and our budget allocation from the government has been increased. While this is a great milestone, there’s still more to be done and hence we continue to leverage on new partnerships to scale the impact.

Need for regulations: The legal framework of the Data Protection Act 2019 needed regulations, which were published in the Kenya Gazette and passed by Parliament on 17 February 2022, thus operationalising the Data Protection Act 2019.

Future:  Earlier this year we launched our inaugural strategic plan covering the years 2022-2025 under the vision of enhancing trust and building transparency of data protection in Kenya. The plan prioritised issues of institutional capacity development, regulation and compliance services, and awareness creation on the importance of protecting personal data for the next three years. The strategic plan will help us drive a culture of data protection, attract investors from across the globe as part of the government’s digital economy, and contribute to the data protection space –  especially in Africa.

The biggest challenges in regulating data protection currently include:

A culture of sharing information: Citizens tend to fill information and allow access for applications without limitation, thus giving unnecessary access to personal information.

Unethical use of personal data: while the collection and processing of data is key to innovation and the oil fuelling the economy, there’s need to embrace data privacy in a more holistic manner and ensure that personal data collected is used for the intended purpose.

Limited skills: This being a new field, we have limited number of data privacy professionals in the country.

Perception that data protection limits innovation, yet data privacy ensures ethical business and protects the citizens from discrimination or identity theft.

Evolving technologies in the digital space poses new challenges in the processing and regulation of personal data.

To adapt to these challenges: First, we are creating awareness in partnership with industry players and civil society, to foster a culture of compliance by creating an environment for data protection to thrive. For example, during the 2022 Data Protection Week we collaborated with our partners on an awareness campaign and we look forward to have more partnerships to sustain the conversation.

Secondly, we have established international cooperation partnerships with FCDO [the UK Foreign Commonwealth & Development Office], Commonwealth Common Thread Network and African Network of Data Protection Authorities.

Thirdly, the office has dealt with and managed more than 300 complaints relating to the registration of persons to political parties without consent. Those persons who have complained to the office have been removed from the relevant registers. Additionally, the office has conducted awareness campaigns to sensitise political parties on their obligations with respect to the Data Protection Act and handling of personal data.

In a bid to boost compliance, the office has also published a Guidance Note for the Processing of Personal Data for Electoral Purposes which outlines clearly how organisations dealing with personal data for electoral purposes should handle data.

Lastly, the office is committed to building capacity for its staff and others. Earlier this year, the office in collaboration with Kenya School of Government launched a data protection curriculum, with monthly trainings targeting both the public and private sector entities dealing with personal data.

An important aspect of data regulation that sometimes goes overlooked is the rights of the data subject on direct marketing and failure of institutions to seek consent before sending them information. Second, some institutions still collect excess personal information from individuals that is not necessary.

Just like any other technology-related field, data protection is a new area with fewer women in the sector. There’s need for gender equity in the field and I encourage more young women to pursue careers in data protection to help us achieve equity in the next 10 years.

A piece of advice I would give aspiring data regulators and professionals: It is said that a journey of a thousand miles begins with a single step. With many countries globally having just started their data protection journey, a time has come to share experiences to streamline the ecosystem and improve data protection for betterment of humanity. This will help to foster a global culture of compliance, by creating an environment for data protection to thrive and spur innovation and economic growth.

Unlock unlimited access to all Global Data Review content