Controls for Implementing Kenya Data Privacy Act

we like it once again to welcome you don't want to repeat what Johnson said but what I know is that today is going to be a very exciting events both for the technical people and also there are technical five people right here feel free I'm really hoping those are going to learn and I'm really hoping those are going to continue uh showing up [Music] thank you so much and I look forward to interacting with each and every one of you thank you kind of Applause for the horses [Applause] thank you very much Lawrence and just click announcement [Music] so make sure that um if you're in your best behavior if you want to be curious be curious camera

friendly curious then also one thing I want to mention is that you can go ahead on Twitter our hashtag is um besides Nairobi 2022. so feel free to teach feel free to tag us feel free to thank anyone he has to Hope and then make it all you're going to have met a few of our friends again the truck the truck the truck so I'll hand over to the freezer to introduce our first recession [Music] so for the first session I'm going to have Deborah rubia talking to us to uh about technical controls for Implement Team Canada privacy actors so just agree by you about the the prayer is a cyber security privacy and pastel Technologies

senior consultant at ay these are focused on vulnerability and threat management she's passionate about data privacy and protection and has conducted data privacy Camp assessments and data flow mapping for local and Multinational clients so I'm brief about the talk the attack is geared towards introducing the requirements of the internet of privacy acts and suggesting techno technical methods of implementing the ACT ing petrol filter in the cloud and on-premise system implementations these controls include field level encryption FLD format preserving encryption hashing making masking encryption and organization and to the magnification welcome good morning everybody my name is Deborah rioba yeah ryoban is my name and it is really a pleasure to be here so I know that um

in our program it mentioned implementation of the Kenya data Privacy Act maybe I should mention that it's the Kenya data protect act which was assented to in 2019 and mainly there there's a difference between privacy and data protection whereby privacy mainly looks at who has access to your data and now the protection is a security part where you've got all these other technical controls that you're utilizing to actually ensure that data is protected that whoever is mandated to have access to this data has access to this data so from there one goal the best place to start would be to do an analysis of your data for instance if you've got an Enterprise even at school

um personally personal identifiable information would fall under this category and it there's also what you call on top of personalized travel information there is the sensitive data so for you to be able to actually protect this data you need to assess what am I collecting uh where is it stored who has access to this so that from the beginning then it's easier to actually have a roadmap of what it is that you're protecting so mainly it will be doing Discovery and I know that there are tools maybe one of the key things that I will say I love the giving specific tools but just a general overview of the controls that can be used to actually

protect this data so when you do the discovery you mainly be looking at what types of data sets do you have do you have personal identifiable information and on top of this what else is is its store so that when you are doing say for instance the classification then you can classify say public you know internal sensitive Etc so that it becomes quite holistic for the protection to take place so how is it used are we using this to give the services that we are legally mandated by say the licenses that we have been given so once this is in place then if I could mention there are certain prerequisites within the ACT that mandate processes and controllers

to abide by so once you have gone ahead and registered as a controlling processor which at the moment I think the process is still ongoing if maybe you keep an Arcane eye on the office of the data protection commissioner they have already registered a few controllers and processors so once you've already gotten this out of the way then you need to check okay legally this is what I'm mandated to collect on top of that I need to collect only what is minimal to do the processing that I have registered for so if you do not need say four numbers you cannot collect that data if you're only managing to collect emails then that is the only

thing that you are supposed to collect so there is lawfulness um data minimization like I have mentioned and then accuracy of the data so when say today if I change my address and I had already given an address to somebody who is processing this data I can request for that processor or controller to actually go ahead and correct it that is one of the items that you call the data subject access right so you've got it's a myriad of things are not going to go through that so the processor and controller are mandated to service the data subject now who gives this personal information to them so in essence the controls that ideally you should put

in place should Encompass the data management life cycle and it starts from collection to the point of disposal so at your point of collection what controls do you have and then after you collect then you go ahead and process during processing are you sharing this data with other people are you doing any cross-border transfers outside the country for instance um and if you're doing that then you need to check uh the technical safeguards to the party that you are transferring this data to so on top of that how you storing it what controls do you need to have in place where you're storing it and then post the storage then there's definitely archival and then disposal you need to dispose

according to the attribute to dispose this data if you no longer need it but there's a caveat there because I know there are different laws that mandate us to say if you have a court case and you are required to provide some historical information to call to facilitate that particular case so there's some little caveats here and there which we're going to go through so one of the key things which personally I would consider very highly is identity and access management if I could take you back there is there is um let me see a framework it's not TV it's neither here nor there called privacy by Design so ideally during your the whole life

cycle the data management life cycle you're supposed to embed privacy in every single process or product so if you are introducing a new product for instance from the outside from your sdlc on the way to when the product goes to Market you need to have the data privacy by Design embedded within your processes so that if I could give an example when you are giving access to say mobile banking you're not supposed to have some pre-checked boxes or automatic opt-ins if I could call it that it needs consent is very key so if you've already done this from your development stage then at the point where you are collecting the data it does not become problem I think

you're not relucting any laws so that from their own City then now it goes all the way back to when you are disposing this data so having said that one of the key items once you have already done a discovery of your data within your databases if you are processing them in your you know your web servers application server CTC then you go back to your fundamentals who has access with data and that's where you have your identity and management tools coming in and on top of this there's a privileged access management so that you have the least privileged principle um being implemented to this so that if there is someone who needs this data you

apply they need to know framework so that you do not also have people accessing the data who cannot actually who are not really mandated as we know I know this one is quite common that are very high percentage of um fraud cases or rather even data leakage is usually an inside job as you like to call it so if you take care of your internal processes then it becomes easier to take care of the external attackers just to minimize the risk of having a breach now on top of it of course like I said is the privileged access management when you have your you know roots and admin accounts or privileged accounts accessing data this need to be monitored

very clearly and best way to do this would be having a farming place um so that you you know who is accessing what now endpoint protection let me take an instance of mobile banking I think that should be the best we have already heard of people complaining that no this is such a big I'm not going to mention the exact that they're having their Banks bank accounts white clean so if you look back probably from the mobile device um from a processor and controller point of view your non-tv as a user I am giving this data my you know my username and password to the processor the processing might not necessarily be done from the device but it's done now

to the the backend server CTC you know the mobile banking setup and the internet banking so if this other side can be taken care of including other controls other mitigating controls then definitely I think that that would be a better way you know on top of implementing your two-factor authentication ctctc then this becomes easier and other monitoring um controls so sometimes monitoring is I would say maybe it's reactive but when you have your detection so that at the point where you notice the Rogue activity taking place then action is taken immediately then it becomes quite easy now let me go to the elephant in the room I've had this accession on or rather than somebody who is a

specialist in cryptography I'm looking forward to that so on encryption this is important so I like I said initially when you've got data addressed and data in transit and sometimes you might get that if you have a system in Cloud then definitely if you're transferring that data from your own data centers or you have already hosted them there so that the users are actually accessing systems on the cloud regardless of the platform it's quite important to ensure that encryption happens end to end from the moment the data is collected to when it's in transit to when it's on the cloud so that it becomes it becomes a bit easier to actually comply to the ACT if I could

mention and quote when doing Bridge management and if there happens to be a bridge the app provides it gives up vision for reporting of such breaches within 72 hours to the office of the data data protection commissioner so there is a section which indicates that if the bridge happened and the data was encrypted then this does not need to be reported to the data subject so you need to report to them on the business office and you also need to report to the data subject because they need to know that their data is at risk or it could be misused if that bridge actually happened so if there are guarantees and there is proof that encryption really

happen then you can report to the odpc but you do not need to report to the data subject because the risk of misuse then is therefore minimized so on top of this another controller I said uh users now who we are referring to the data subject need to have availability of this data and in the event that it is not that you need to actually inform them that this data to you is not going to be available so for one replication definitely is very important and I wanted to mention on retention um there are some limitations on retentions that the ACT gives that's that if today because I am Adventure subject for instance and I

need you as a data controller to delete my data today because I feel I do not need you to have access to it or to process it in any kind of way so if I request a deletion the best thing that that you as a controller can do is to actually restrict it and not necessarily deleted because in the events that it will be needed in the future for any other purpose then that becomes a problem to the controller so division retention is not really absolute we need to look at okay the kdpa does not give a specific um period That's why it now defines the limitations on retention whereby if it's required by the authorized law it could

be the police they're called the Kenyan Revenue Authority or it could be any other legal entity then the processor or the controller needs to give this data so um any other historical data can be kept but it now needs to be pseudonymized pseudonymization uh refers to when you completely remove any aspect of the data from the data set that might identify a person to that particular data so you can see that we mind that data and you will not be floating any law so once you do that you can use that for statistical purposes you can use that you know if you're doing your surveys so long as you have synonymized it and anonymized does that make sense

yeah so I I'd say so far that is all I had unless there are any questions or comments so in the first slide you mentioned

so there you mentioned um controls I'm sorry it's um the next slide please uh after that yeah the um life cycles online yeah so over there um under the collection you mentioned controls right so I said that if you already have pregnancy by by Design controls at the back and the collection stage there is really no technical controls that you can employ you just need to ensure that you do not have any pre-checked boxes where the user does not give explicit consent for their data to be processed explain a little bit more like what you mean by controls like could you define or given give it some examples of controls that can be implemented by

a data controller data processor oh yeah so these these are the ones that I was talking about especially for the data let me say data loss prevention sometimes I've seen others Define it as a simple tool but my Approach is to take it from as point of view because there are different tools that actually ensure that data is not lost or leaked and it could even go not necessarily in technical even from Young processes now for the controls the technical ones it would mean you know pseudonymization the identity and access management if you're doing privilege access management you know with the help of the actual Technologies to do this particular things thank you so much and I

appreciate [Music] turnover Plus [Applause]