The Kenya Data Protection Act was enacted in 2019 to protect the personal information of Kenyan citizens. The act sets out the rights of individuals with regards to their personal data and the responsibilities of organizations that collect, process, and store this data. Organizations must implement appropriate measures to protect personal data and include use of data protection services like Microsoft Purview.
Microsoft Purview is a family of data governance, risk and compliance solutions that enables organizations to discover, understand, and govern their data across their organization and beyond. Purview is designed to help organizations meet the requirements of data protection regulations such as the Kenya Data Protection Act. The solution helps organizations to:
- Discover and understand their data: Microsoft Purview content explorer enables organizations to discover and understand where their data is located in the organization
- Protect sensitive data: Microsoft Purview comes with Data Loss Prevention capabilities that can be used to prevent data exfiltration
- Control access to data: Sensitivity labels can be used to control access to labelled data, for instance a file labelled internal only can have access restrictions for internal employees only such that even when the file leaves the organization no one else can be able to open the file
- Monitor and report on data usage: The activity and content explorer provides detailed reporting on data usage, enabling organizations to monitor the access and use of sensitive data.
To implement Microsoft Purview Information Protection here in Kenya, organizations need to take the following steps:
- Assess data protection requirements: The first step is to understand the requirements of the Kenya Data Protection Act and to assess the current state of data protection within the organization. Microsoft has provided more than 700 premium assessments, for instance with the premium assessment for Kenya Data Protection and Privacy act, organization can track their current compliance posture and ensure they have implemented what is required of them to implement.
- Plan the implementation: Organizations should develop a plan for implementing Purview, including identifying the data sources that need to be included, where the data is located and know which sensitive information types is in the data.
- Classify and protect data: Organizations should define classifications to be used in protecting sensitive data, such as personal information and credit card numbers, the classification will enable the organization to determine which sensitivity labels and protection/encryption to be applied
- Monitor and report on data usage: Organizations should utilize Microsoft purview activity explorer to monitor and report on the usage of sensitive data and alerts from DLP policies to ensure that organization data is being used in accordance with the Kenya Data Protection Act.
In conclusion, for organizations in Kenya and beyond, Microsoft Purview is a powerful tool for organizations looking to implement information protection and meet the requirements of the Kenya Data Protection Act and industry specific regulations.