Blog Single Post

If your organisation has been wondering how to understand what Data Protection is all about, in practical terms after registration as either a data processor or a data controller, the next two critical steps are making sure that you have the required policies in place and then ensure that your staff are trained. The policies that need to be drafted and put in place are a Data Protection Policy including a  Complaints Handling and Privacy Policy. There are guidelines given by the law on what such a policy should contain.

Once these policies are in place an organisation is not yet out of the woods. It’s employees need to understand how the Data Protection Act relates to the organisation so that infringements based on ignorance or dereliction of duty do not arise. This is where training becomes critical.

Effective training explains the basics of data protection law and practice in a simple down to earth fashion. The goal in this respect is to inform, clarify and advise employees and all actors in the organisation to mitigate risks that could arise leading to breaking the law.

When does this training need to be done? For all organisations immediately upon registration, and when new employees are hired, then regularly to refresh the understanding of existing employees. Finally, how can this training be done? The Data Protection Officer in an organisation can carry out the training or any other person who has a good understanding of the requirements of the Kenyan data protection law. The organisation could also get external expertise to undertake the training on its behalf.

If you need professional help in drafting the policies referred to in this brief guidance note, or training of your organisation’s staff, you can contact the undersigned at mercy.nderitu@mnderitu.associates.