Data Privacy
Navigating Data Privacy: Ethical CRM Practices In Kenya ' s Evolving Digital Landscape
By Tamara Betty Asonga
Not long ago, I found myself grappling with unspoken concerns among colleagues about how I managed customer data. Though I was confident I had upheld every rule and regulation, the experience prompted a deep dive into Kenya’ s data protection framework and a renewed commitment to transparency, trust, and ethical customer relationship management.
These days, customers expect more than a good product, they expect to feel safe. A recent concern from a colleague got me thinking more deeply about how we’ re handling the data entrusted to us. As professionals in Customer Relations and Service, our work increasingly revolves around collecting and leveraging customer information to create personalized, seamless experiences. Yet, this must be done with the highest standard of care and integrity. Recent concerns about data handling within our teams have served as a timely reminder to revisit our ethical obligations and legal frameworks, particularly here in Kenya.
Understanding the Legal Framework
Kenya has made real progress in building a better data protection culture, and the laws now reflect that shift. At the center of this legal framework is the Data Protection Act, 2019, a comprehensive law that regulates the processing of personal data by both controllers and processors. The Act emphasizes informed consent, transparency, accuracy, and security in data processing, and it empowers individuals with rights such as access, correction, deletion, and objection. Importantly, it mandates that breaches be reported within 72 hours, underlining the urgency
As CRM professionals, we’ re often the custodians of sensitive information. This is an immense responsibility that demands not just technical safeguards, but ethical mindfulness. Let us be the reason customers feel safe sharing their stories, trusting our systems, and engaging more deeply. Ethical data handling isn ' t just smart, it’ s the right thing to do.
of responsible data stewardship.
Complementing the Act are the Data Protection General Regulations, 2021, which offer practical guidelines for compliance. These include mandatory registration with the Office of the Data Protection Commissioner( ODPC), conducting Data Protection Impact Assessments( DPIAs) for high-risk processing activities like large scale CRM systems, and maintaining detailed records of data processing activities. The appointment of Data Protection Officers( DPOs) for organizations with extensive data operations is also required to ensure dedicated compliance oversight.
These regulations are enforced by the Office of the Data Protection Commissioner, an independent body established under the Act. The ODPC issues operational guidelines, investigates complaints, conducts audits, and has the power to impose significant penalties of up to KES 3 million or 2 % of an organization ' s annual turnover. This is not theoretical. Enforcement actions have already been taken, including sanctions against telecom companies for data breaches in recent years.
The Constitution of Kenya( 2010) further anchors data privacy in Article 31, guaranteeing the right to privacy, which includes protection against unauthorized data collection and use. Sector specific laws, such as the Kenya Information and Communications Act( KICA), also underscore these protections, particularly
54 MAL67 / 25 ISSUE