Log In
Join for free

Data Protection Impact Assessments

DPIA Data Protection Impact Assessment meeting focused on data governance and compliance.

Webinar Summary: Understanding DPIAs with Kenya’s ODPC

(Condensed for clarity & mobile viewing)

1. Opening & Introductions

  • Host (Dr. Mugambi, Chairperson, Data Privacy Society of Kenya):
    • Welcomed attendees and introduced the ODPC representatives: Patrick Gagay (Central Region) and Alpha Sagas (Kisumu Office).
    • Highlighted the Society’s role in bridging gaps between regulators, private/public sectors, and academia.
  • ODPC’s Mandate:
    • Awareness creation and capacity building on data protection compliance.
    • DPIA guidance aligns with Section 31 of Kenya’s Data Protection Act (2019) and GDPR-inspired regulations.

2. Key DPIA Concepts

A. What is a DPIA?

  • A risk assessment tool for high-risk data processing (e.g., AI, biometrics, large-scale monitoring).
  • Required 60 days before processing begins (Section 31).

B. When is a DPIA Needed? (Regulation 49)

  1. Automated decision-making (e.g., credit scoring).
  2. Processing biometric/genetic data.
  3. Large-scale data linking (e.g., merging datasets).
  4. Innovative tech (e.g., IoT, AI-driven apps).
  5. Monitoring public spaces (e.g., CCTV).

C. Who Conducts a DPIA?

  • Collaborative effort:
    • Process Owner: Defines project goals (user specifications).
    • Technical Team: Maps data flows and technical safeguards.
    • DPO: Advises on compliance (but does not draft the DPIA).
  • Misconception: DPOs are advisors, not sole DPIA drafters.

3. Common DPIA Mistakes (ODPC Observations)

  1. Ignoring the ODPC Template: Use the official DPIA template.
  2. Poor Data Flow Mapping: Clearly describe collection → storage → deletion.
  3. Weak Consent Mechanisms: Ensure granular, transparent consent (avoid pre-ticked boxes).
  4. Incomplete Risk Assessments: Cover both technical (e.g., encryption) and organizational risks (e.g., training gaps).

Example: A school’s student app must show how data is collected, stored, and deleted—not just claim compliance.

4. Key Questions Answered

Q1: Can a vendor submit a DPIA for a client?

  • A: No. The data controller (client) must own the DPIA. Vendors can assist, but the controller’s DPO must validate and submit.

Q2: How to assess risk likelihood/impact?

  • A: Use a 5-point scale (1=low, 5=high). Multiply likelihood × impact. Residual risk must be tolerable.

Q3: Is a DPIA mandatory for existing systems?

  • A: Yes! Retroactive DPIAs are accepted (though the Act requires pre-processing assessment).

Q4: Must all organizations appoint a DPO?

  • A: The Act says “may appoint” (Section 24), but publishing DPO details is mandatory if appointed.

5. Upcoming Steps

  • ODPC Plans:
    • Clarify risk assessment metrics (e.g., 3×3 vs. 5×5 matrices).
    • Update DPIA guidelines based on stakeholder feedback.
  • Society’s Role: Advocate for clearer regulations (e.g., DPO appointment rules).

Next Session: Deep-dive into consent mechanisms (August 12).

Host Closing“Thank you, ODPC and members! Let’s continue collaborating to advance privacy in Kenya.”

Attendee Poll Results:

  • 45% had done a DPIA before.
  • 55% were new to DPIAs.
Tags:
I O

I O

Ian Olwana supports African organisations in turning data protection laws into practical, sustainable governance practices.

http://datagovernance.africa

Leave a Reply

Your email address will not be published. Required fields are marked *