Impact Assessment Methods for Risks in Data Privacy: a Case Study of Kenyan It-enabled Smes
Abstract
Information has become a strategic commodity. Data-driven decision-making processes have
been observed to lead to more efficient planning and usage of resources. Businesses have
adopted their processes to collect data from their customers, in order to perform analyses from
this data and obtain some useful information. The protection of data has become a key factor
to the success of SMEs. The Government of Kenya enacted into law new data protection
regulations that aims to ensure protection of individual personal data, and provided regulation
on the handling of personal data. IT-enabled SMEs were therefore presented with new business
risks in compliance to these new regulations. Therefore, there was a need to identify the key
factors influencing compliance with data protection impact assessments in IT-enabled SMEs
in Kenya and to identify applicable open source frameworks for managing data protection as
a business risk.
The purpose of this study was to identify key data protection impact assessment factors facing
IT-enabled SMEs in Kenya and to identify applicable open source frameworks for managing
data protection as a business risk. This research was a case study focused on understanding
privacy risk management practices among identified SMEs. A primarily qualitative study was
performed to determine the data for this study, and the collected data were organized
systematically to facilitate analysis.
The study found that Kenya has extensive legislation on data privacy. The study also
highlighted the significance of Kenyan IT-enabled SMEs investing in the data privacy training
and awareness, data privacy policy programs, data privacy vulnerability management programs
and privacy by design plays a key role in management of data privacy as a business risk. The
study also identified the use of OCTAVE-small as a framework that can be adopted by these
SMEs. The study proved the viability of the OCTAVE-small Data Privacy Impact Assessment
framework as suitable for IT-enabled SMEs in Kenya. This recommendation was guided by
the proportionate regulatory framework which would ensure the SMEs maintain active risk
management of data privacy related risks.
Publisher
university of nairobi
Rights
Attribution-NonCommercial-NoDerivs 3.0 United StatesUsage Rights
http://creativecommons.org/licenses/by-nc-nd/3.0/us/Collections
The following license files are associated with this item: