Recently, I have observed that organizations register with the regulator as a legal requirement but they do not go ahead to practice data protection. The next time they remember that data protection exists is when they are required to renew their certificates. Data Protection and cybersecurity are not just legal requirements, but are necessary for the smooth running of organizations, especially with digital transformation and the digital economy. It is not a compliance task to tick off, but a journey that should be embraced.
Over the past several months, the Beera Ku Guard campaign by the Personal Data Protection Office and the National Information Technology Authority has raised awareness about data protection and cybersecurity, emphasizing moving from awareness to action. While this awareness is important, the time has come to move beyond discussion and begin putting these lessons into practice. Building a strong data protection culture within organizations requires a deliberate commitment to data governance. Data use and governance prioritizes the ability to understand, manage, and ethically use data as a core asset of policy, services and governance.
Data governance is not a one-time event. It is a continuous process that spans the entire data life cycle. It begins with planning that is; clearly defining the purpose, scope, and intended use of data. Organizations must ensure that data is collected legally and ethically. During processing, data should be cleaned, properly structured, and securely managed. If data must be shared, it should be done responsibly with mechanisms such as contractual clauses governing data exchange and clear policies about data access and confidentiality. Data handling requires accountability and transparency and training to help data handlers understand the implications of their actions.
Every organization needs to first put the basics in place as a starter in their data protection journey and data cycle. The starting point is identifying the personal data it collects, processes, and controls commonly referred to as understanding its data footprint. This process, known as data mapping, enables an organization to know exactly what data it holds, where it is stored, how it is used, and with whom it is shared. With this clarity, organizations can ensure that all data collection, storage, sharing, and analysis comply with relevant laws and regulations.
Accountability is the next critical step toward data protection readiness. Organizations must clearly define who is responsible for data, who is accountable for it, and who should be consulted on related matters. These responsibilities should be formally documented and assigned. The designated individual is commonly referred to as the Data Protection Officer (DPO). In some organizations, the DPO may perform this role in addition to other responsibilities. Once responsibilities are defined, appropriate controls must be implemented to reduce risks and prevent breaches. Basic measures include keeping data files under lock and key, securing offices outside working hours, regularly changing passwords, using secure Wi-Fi connections, implementing multi-factor authentication, signing non-disclosure agreements, installing anti- virus software, and setting up firewalls among others.
However, these measures do not cut across all organizations. Measures differ based on the type of data collected and how its handled. That is why it’s best practice for every organization to have a Data Protection/Information Security Policy that guides how it handles personal data, tailored to their organization’s activities and data cycle.
Training is equally essential. Data protection is not the responsibility of one individual; it is a shared obligation across the organization. All new employees should receive data protection awareness training to ensure they understand best practices when handling personal data.
Continuous reinforcement of these practices helps embed data protection into the organization’s daily operations and culture. To sum it up, data protection isn’t just a box to tick; it’s about keeping people’s information safe and building trust. By knowing what data they have, assigning clear responsibilities, putting simple safeguards in place, and training their teams, organizations can turn awareness into real action and make data protection part of everyday work.
