GDPR in Kenya - A Guide for E-Commerce Merchants
Jul 12, 2023
GDPR is a data privacy law that sets rules on how websites can collect and use data on EU residents. Learn how to comply with GDPR in Kenya.
Did you know GDPR has an extraterritorial effect? The European data protection law requires that every e-commerce merchant selling its products in the EU comply with its regulations.
GDPR compliance is not dependent on where your e-commerce business is located. You must comply if you draw customers from the EU.
But what exactly does GDPR mean, what does it require from digital commerce websites, and are there any benefits that online merchants in Kenya can gain from complying with GDPR?
Let’s find out.
What is data protection?
Data protection safeguards any information that relates to any identifiable person from theft, corruption, interception, or loss. This information includes a person’s name, birth certificate, social security number, telephone number, email address, and bank account number.
Identity, contact, and banking information are sensitive, as theft or misuse can seriously prejudice its owner. For example, banking or credit card information can easily be used to steal money or pay without the owner’s authorisation.
Why is data protection important?
Data protection is essential to prevent confidential information from falling into the wrong hands, which can seriously endanger their privacy and safety.
You can probably think of why you don’t want your home address, email, or phone number to be public information. Personally, I don’t know how many times I have had to delete spam emails and unsubscribe from newsletters and email lists I never signed up for.
There have been cases where stolen personal information has been used to commit crimes and, in others, to set up ghost social media accounts that have been used to scam people and spread misinformation.
Organisations that collect personal information are obligated to secure and keep it confidential. You collect customers’ payment information and shipping addresses on your checkout pages as an online business.
If your customers' personal information was intercepted as customers completed purchases or stolen from your servers, you could suffer irreparable damage to your business image.
The rise of e-commerce and the exploding popularity of digital banking platforms, subscription software tools, and social media means the amount of people’s personal has grown substantially and continues to grow.
There’s simply too much of people’s confidential information stored online that it is essential to put in place safeguards to ensure it is not misused. So governments worldwide have been forced to enact data and privacy protection laws. No doubt, the one that gained attracted the most attention is GDPR.
What is GDPR?
GDPR is an acronym for General Data Protection Regulation, a European Union enacted to protect data privacy and security. The EU parliament passed GDPR in 2016 and effected into law on May 25, 2018.
The law requires consent before collecting customers' and website visitors’ personal data. This consent must be “freely given, specific, informed and unambiguous.” The request for such consent must be written in plain and clear language so it is ‘clearly distinguishable from other matters’.
As an online merchant, you can’t accept consent from people below 13 years unless supported by permission from the parents.
GDPR recognises that more people are entrusting their personal data with cloud services and that the potential for security breaches and loss of this information is high. The law was created to prevent this and does so very aggressively.
Before GDPR, consumers had little control over how their information was collected, kept, and used. The law aimed to empower consumers and give them more control over their personal information.
GDPR requires compliance from every organisation that processes personal information collected from a resident of the EU. Article 3.1 of the act expands on the scope of the act by stating that compliance is required even if the said personal information is not stored in the EU.
Does GDPR apply in Kenya?
Yes, GDPR applies in Kenya, but only to businesses that offer goods and services to residents of the EU. In short, GDPR applies to you even if your business is not located in the EU.
More accurately, you must comply with GDPR rules if you collect data from an EU resident or track them with cookies and through their IP addresses. You don’t have to have sold them anything. The law aims to regulate how cloud services and digital platforms collect, store, and use people’s data.
What are the 7 principles of data protection under GDPR?
GDPR rules apply universally. They are not specific to any one country. But the goal is the same everywhere: to protect people’s privacy and ensure their personal information does not fall into the wrong hands.
Understanding the law entirely will be challenging, considering it is hundreds of pages long. To summarise the law's main goals, we can quickly review GDPR’s 7 main principles of data protection:
Lawfulness, fairness, and transparency,
Purpose limitation,
Data minimisation,
Accuracy,
Storage limitation,
Integrity and confidentiality,
Accountability.
To expand on these principles, GDPR aims to impress upon data collectors and processors the responsibility to only use people's data for what it was collected for, collect only the data you need for your purpose, store it for no longer than is necessary, and keep it accurate, up-to-date, and confidential.
It’s important to discuss how the law approaches data security, including how it defines the key terms.
So what is personal data in the context of GDPR?
GDPR defines personal data as any information that relates to an individual who can be directly or indirectly identified. It also expands on what we commonly consider personal data to include website cookies, gender, biometric data, political and religious beliefs, and ethnicity.
The person whose data you are handling, your customer or website visitor, is referred to as the data subject. You, the merchant or e-commerce store, are the data processor, while the person you charge with the duty to determine how people's data will be collected and used is the data controller.
The data processor will be the third-party tools and services that process the data on your behalf. This could be your cloud storage provider, email marketing platform, or payment gateway.
Consequences for GDPR violation
GDPR severely punishes organisations that infringe on EU consumers' right to privacy. Non-compliance with the law is costly, no matter the size of your business. Punishments can range from reprimands to bans and steep fines.
The fines GDPR imposes on those that infringe on it depend on the violation's severity, the infringement's duration, and the size of the organisation being punished. The law’s supervising authority also considers:
the intention of the violation (whether intentional or a result of negligence),
Previous infringements,
Actions taken to address the infringement and prevent future breaches,
What type of personal data was compromised.
However, the goal is to ensure the fine is effective, proportionate, and dissuasive. The offending parties must feel the effect of the punishment on their business.
Is there a data protection act in Kenya?
The Data Protection Act of 2018 is the law that protects people’s personal data and right to privacy. Like GDPR, this law requires that personal data that identifies people be kept for no longer than is necessary for the purpose it was collected. It also establishes Kenyan citizens’ right to be forgotten or have their information removed from the internet.
The Data Collection Act in Kenya established the Office of the Data Protection Commissioner as the country's data protection regulator. The commissioner is responsible for enforcing the law, which includes fining those in violation.
The highest fine imposed for data protection violation is KSH5 million, slapped on OPPO Kenya. So whether you are a multinational, SME, or government agency, you must know what the law says about how people’s data can be used.
How to comply with GDPR in Kenya
To comply with GDPR, your website must disclose that it collects personal data. You must also explain why and how you collect the data and where you will store it. If your core business is to collect and process personal data, the law stipulates that you must have a data protection officer on your staff.
According to the GDPR, you must get explicit consent before collecting, processing, or using an EU citizen's personal data. So it is critical to review how you collect personal data from website visitors and your purpose for collecting that information.
Thankfully, there are several ways you can comply with GDPR. You should upgrade the CMS to version 4.9.6 or higher if your website runs on WordPress. These versions have GDPR-compliant features backed in as a default. Otherwise, you can comply by taking the following measures:
Add a privacy page (There are many sample GDPR privacy page templates you can download and use for free, like this one by WordPress.
Upgrade to HTTPS
Add a checkbox in the comments so people can give consent before leaving comments on your website,
Add a privacy checkbox on your contact forms so readers can consent to you collecting and keeping their personal information.
Add a cookie notice that pops up when a visitor first arrives on your website.
It is also essential to have a GDPR compliance checklist you periodically review to ensure you remain compliant. A faster way to do that will be through a GDPR compliance tester like this one.
IntaSend prioritises the security of your customer's personal data
As the payment gateway of choice for many e-commerce businesses in Kenya, IntaSend protects your customers’ personal data from malicious actors' misuse, theft, and interception. We fully appreciate the importance of complying with GDPR in Kenya and our other markets.
Our payment gateway is PCI DSS compliant and uses advanced encryption tools to secure your data when processing payments with banks and ensure it is not misused. We regularly test our systems for weaknesses that may put users’ data at risk of theft or interception.
Sign up with IntaSend to start accepting payments on your website and enjoy faster, smoother checkouts, fewer abandoned carts, and higher sales.