Handling Advisory on Data & Privacy Law – Ong’anya Ombo Advocates

Data Protection and Privacy Laws have a unique dimension than the mere assessment of what the laws provide and abiding by merely providing internal or external policies on matters data and privacy laws. For an organisation to understand the intricacies of internet law, which generally covers data and privacy law, it is essential to factor the operations of the entity as well, which involves having a conversation with the Information Technology (IT) department team or head to have a clear understanding of the system’s set up by the organisation.

Understanding how the data and privacy laws impact an organisation requires understanding how an organisation collects data, which is generally through the physical or online model. The physical collection entails providing information to entry-points at various offices, medical forms, surveys, or questionnaires, while online data collection includes signing up for newsletters, sending emails, mere access to an online platform, and applying for an opportunity or requesting information.

The methods mentioned earlier are more direct. However, there are indirect means of collecting information, which involves using small text files known as cookies. There are numerous types of cookies; yet, not all cookies are intentionally installed on the website; rather, the cookies are introduced through third-party services that the website relies on to provide its services.

In instances where a website relies on third-party services, the website owner is required to make sure that the third-party service provider is also compliant with the applicable Data Protection laws or regulations. In most privacy policies, it is common that one organisation will indicate where it utilizes third-party services, the organisation is not responsible to the user as the third-party entity has its own set of terms and conditions, including privacy cookie policy.

It is important to note that where the website relies on plugins, Application Programming Interface (API), or add-ons under specific plugins, it will require the organisation to confirm with the other organisation whether the third-party plugin, API, or add-on is compliant.

Interestingly, while most organisations focus on data and privacy law towards third-parties more so those accessing their website, data and privacy law extends to data collected about the staff through physical forms or online means. As a result, an organisation needs to restructure and seek consent from its staff on how it intends to utilise the staff data for any purpose other than initially collecting the information.

Data and privacy laws are structured to, directly and indirectly, require changing hardware setup and software codes to avoid breaching the applicable law. Therefore, there are numerous ways in which organisations must objectively look into data laws to ensure that at all material times, the organisation is compliant with the set laws and regulations.