Digital lenders in Kenya continue to grapple with challenges related to data protection compliance, as per the statement made by the Data Protection Commissioner, Immaculate Kassait. She highlighted that audits have revealed that most digital lenders are relatively new to data protection regulations. This concern arises even as the Central Bank of Kenya has granted permission for 10 more digital lenders to resume their operations, bringing the total number of licensed digital lenders to 32.

Since March 2022, the banking sector regulator has been flooded with a whopping 401 applications for vetting under the CBK Digital Providers Regulations 2022. The inception of these regulations was triggered by the mushrooming of unregulated digital credit providers in Kenya, sending shockwaves through consumer protection circles. The concerns ranged from shady practices like lack of transparency, fierce debt collection tactics, and sky-high interest rates. To make matters worse, alarming issues pertaining to data protection and financial integrity came to light, unveiling the misuse of personal consumer data, money laundering, and even the funding of terrorism.

The annual bank supervision report for 2022 published by CBK revealed that the regulator has collaborated with other relevant regulators and agencies, including the ODPC, throughout the licensing process. Commissioner Kassait, speaking at a press meeting, expressed that some digital credit lenders failed to grasp the concept of data protection by default and by design. She emphasized that simply claiming to have firewalls in place is insufficient when asked about data safeguards. Lenders must instead demonstrate their data collection, processing, and disposal practices, as well as showcase their capacity building resources, data governance, and organizational data policy.

Kassait pointed out that penalizing digital lenders has already begun to convey a strong message. In April, Whitepath Company Limited and Regus Kenya were fined Sh 5 million each for breaching data protection laws. Kassait stated that those who are committed to their businesses have started seeking more time to comply and receive guidance on the necessary steps to be taken.

According to the United Nations Conference on Trade and Development (UNCTAD), digital services are projected to contribute an additional $180 billion (Sh 23 trillion) to Africa’s GDP by 2025. However, the 2022 Data Protection and Privacy Survey report indicates that Saccos, NGOs, research firms, and SMEs are lagging behind in complying with data privacy laws and registering as data processors or controllers with the Office of Data Protection Commissioner (ODPC). On the other hand, banks, insurers, telcos, and healthcare firms are leading the way in data privacy compliance and registration.