Impact Assessment Methods for Risks in Data Privacy: a Case Study of Kenyan It-enabled Smes

Abstract

Information has become a strategic commodity. Data-driven decision-making processes have been observed to lead to more efficient planning and usage of resources. Businesses have adopted their processes to collect data from their customers, in order to perform analyses from this data and obtain some useful information. The protection of data has become a key factor to the success of SMEs. The Government of Kenya enacted into law new data protection regulations that aims to ensure protection of individual personal data, and provided regulation on the handling of personal data. IT-enabled SMEs were therefore presented with new business risks in compliance to these new regulations. Therefore, there was a need to identify the key factors influencing compliance with data protection impact assessments in IT-enabled SMEs in Kenya and to identify applicable open source frameworks for managing data protection as a business risk. The purpose of this study was to identify key data protection impact assessment factors facing IT-enabled SMEs in Kenya and to identify applicable open source frameworks for managing data protection as a business risk. This research was a case study focused on understanding privacy risk management practices among identified SMEs. A primarily qualitative study was performed to determine the data for this study, and the collected data were organized systematically to facilitate analysis. The study found that Kenya has extensive legislation on data privacy. The study also highlighted the significance of Kenyan IT-enabled SMEs investing in the data privacy training and awareness, data privacy policy programs, data privacy vulnerability management programs and privacy by design plays a key role in management of data privacy as a business risk. The study also identified the use of OCTAVE-small as a framework that can be adopted by these SMEs. The study proved the viability of the OCTAVE-small Data Privacy Impact Assessment framework as suitable for IT-enabled SMEs in Kenya. This recommendation was guided by the proportionate regulatory framework which would ensure the SMEs maintain active risk management of data privacy related risks.