Introduction
Kakbima respects data privacy rights and models our solutions to the highest global standards and regulation, the GDPR as well as the local Data Protection law
What is the Data Protection Law?
The Data Protection Act, 2019 came into force on 25th November, 2019 and is now the primary statute on data protection in Kenya. It gives effect to Article 31 (c) and (d) of the Constitution of Kenya, 2010 (Right to Privacy). It guides the collection, use, storage and processing of personal information. Sensitive personal data is defined as data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject. Some or all of the sensitive data may be required in the processing of insurance using Kakbima services.
GDPR Overview
As a regulation instead of a directive, the GDPR is enforceable as law in all EU member states simultaneously and replaces the separate member state implementations of data protection law, streamlining compliance by providing a single set of principles to follow.
The scope of this new regulation encompasses all organizations that process the personal data of EU residents or monitor individuals’ behaviors conducted within the EU, regardless of the entity’s location. The terms processing and personal data are defined broadly: processing involves “any operation or set of operations which is performed on personal data” and personal data means “any information relating to an identified or identifiable natural person (‘data subject’).” The GDPR outlines different requirements for Controllers (entities who determine the purposes and means of the processing of personal data) and Processors (entities who process personal data as directed by a Controller).
Key GDPR Compliance Requirements
The GDPR changes the way organizations collect data, as well as how they obtain, document, and manage the legal basis for processing. Below is an overview of some of the key GDPR requirements.
| Key Requirements | Brief Description |
| Data Protection by Design and Default | Controllers and Processors must incorporate data protection into new products and services that involve processing of personal data (Design) and consider data protection issues in all business decisions (Default). |
| Lawfulness of Processing | Processing must be based on consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects. |
| Conditions for Consent | Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action. |
| Security of Processing | Controllers and Processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. |
| Data Subject Rights & Information | Controllers shall provide the information outlined in Articles 13 & 14 to Data Subjects and Data Subjects may access, correct, delete, restrict processing of, and transfer their personal data, as well as object to automated decision-making based on their personal data. |
| Data Inventory | Controllers and Processors must create centralized repositories containing records of processing activities carried out on personal data. |
| Data Protection Impact Assessments | Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, prior to processing Controllers must carry out assessments of the impact of the envisaged processing operations on the protection of personal data. |
| Data Protection Officer | Controllers and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or large scale processing of special categories of data must appoint a Data Protection Officer. |
| Controller-Processor Relationships | Controller and Processor relationships must be governed by binding contracts that set the terms of the processing to be performed and provide Controllers the right to object to Sub-Processors engaged by the Processors. |
| Data Breach Reporting | In the event of a breach involving personal data, the Controller shall, where feasible, notify the relevant Supervisory Authority within 72 hours after becoming aware of it and, if there is a likely high risk to the rights and freedoms of natural persons, the affected data subjects without undue delay. |
Implications for SaaS companies
As a SaaS company, if we create experiences that feel personal and human, that are founded on trust and delivered with care, we will win the hearts and minds of our customers.
Our goals are aligned with the GDPR, namely to respect the rights of our customers and go on to earn their trust.
How Insurers address these higher expectations around the collection, use and security of the personal data that we routinely use in the course of our work is key. We believe Kakbima can help Insurers meet those expectations.
There are two key areas of the GDPR that are particularly pertinent to SaaS companies and that consequently require careful assessment of past, current and future practices. The first is consent by the individual to collect and use their personal data and the second is accountability, namely being able to demonstrate how they comply with the principles of the GDPR.
Consent Under the GDPR
Most Kakbima customers’ insurance related activities will merit using consent as the legal basis for processing personal data. All Kakbima customers should review how they obtain, document, and maintain authorization for processing personal data.
GDPR defines consent as:
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” -Art. 4(11)
GDPR Article 7, Conditions for Consent, requires that requests for consent be clearly distinguishable from other matters using clear and plain language, that the data subject has the right to withdraw consent at any time, and that consent is not freely given if the performance of a contract (including the provisioning of a service) is conditional on consent to processing personal data not necessary for the performance of said contract. Articles 13 and 14 outline the information to be provided to data subjects at the time of data collection.
Pre-checked or implied opt-ins are insufficient and the data subject must know to what they are consenting and that they may withdraw consent at any time. To the extent Kakbima customers are relying on consent as the lawful basis for processing personal data, they can and should, among other things, configure their instances to obtain affirmative consent and provide links to privacy policies or notices that communicate required information at the time of collection.
Accountability Under the GDPR
One of the most significant requirements under the GDPR is the accountability principle. Organizations must be able to demonstrate their GDPR compliance and should therefore consider what types of technical and organizational measures will allow them to meet the accountability principle.
GDPR Article 24 requires Controllers to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance” with the GDPR.
Kakbima offers a number of features and functions that can help demonstrate your compliance with the GDPR principles, such as:
- Role Based Permissions
- Audit Trail
- Encryption at Rest
- Data Management
Suggested Steps for GDPR Compliance
There are a variety of steps that companies should take to help ensure GDPR compliance, some of which include:
- Undertake a GDPR readiness assessment, if not done already
- Make sure your privacy program includes all GDPR requirements
- Evaluate requirements for a Data Protection Officer and appoint one if necessary
- Implement policies and procedures to respond to data subjects’ rights requests
- Review and update processor and sub-processor agreements
- Create a record of personal data processing activities
- Obtain, document, and maintain a legal basis for each processing activity
- Update privacy and security policies and procedures
- Update data breach notification protocols
While the content on this page is designed to help organizations understand the GDPR in connection with Kakbima’s services, the information contained herein may not be construed as legal advice and organizations should consult with their own legal counsel with respect to interpreting their unique obligations under the GDPR and the use of a company’s products and services to process personal data.