Recently one of Kenya’s largest banks suffered a massive data breach – a file with details of more than 500,000 customers, including their names and phone numbers, appeared online.
This data breach could well have occurred for vendors of the bank. One of the things a hacker could do is sell confidential information around highly-privileged service contracts for specific undertakings between the bank and vendors to competitors, since some companies would be willing to pay a premium for such information.
In this digital age where technological advancements are of a phenomenal nature it was deemed prudent by the government of Kenya to come up with a Data Protection Act that will ensure information is protected by reasonable security safeguards against loss, damage, destruction, and access by unauthorised persons.
Data protection is of paramount importance since it builds trust among the stakeholders who relay their data on a given platform for use by different players in the supply chain ecosystem. Under Kenya’s Data Protection Act (2019), anyone collecting sensitive data from the public must put in place appropriate technical and organisational measures to safeguard it.
Data privacy is needed in the supply chain management function since stakeholders in the supply chain are vast, ranging from buyers, suppliers, government regulatory bodies, and manufacturers, among many others. These stakeholders need assurance their information is well protected in order to be able to freely share relevant information with other players in the ecosystem.
For instance, a supplier who is working collaboratively with a buyer to reduce inventory and achieve efficiency is certain to share their strategies, processes and operations with the buyer. This information is essential to the buyers so they can realign their systems to match those of their key vendors, so that both parties can fully realise the benefits of a collaborative working relationship.
In the unfortunate event that such information leaks, the supplier is put in a compromising position since their competitors become fully aware of their strategies and processes.
In order to ensure strict compliance with the Data Protection Act, and for the data protection commissioner to be able to effectively carry out their duties, there are stringent measures put in place to dissuade organisations and inviduals from breaching the Act.
Section 56(1) provides for enforcement provisions whereby a data subject who is aggrieved by a decision of any person under the Act may lodge a complaint with the data commissioner. Any organisation or individual found to be in breach of the Act is liable for a penalty of Kshs 5,000,000 (£35,714) or up to 10 years’ imprisonment.
☛ Samba Muthui is a supply chain management consultant at Swift Optimal Limited