NAIROBI, Kenya- In a decisive move, the Office of the Data Commissioner has slapped Trident Insurance Company with a Sh1.8 million fine for failing to comply with Kenya’s data protection regulations.
The penalty, which must be paid within 30 days, highlights serious gaps in the insurer’s handling of sensitive personal data, a core requirement under the Data Protection Act.
According to the Data Commissioner, Immaculate Kassait, Trident Insurance failed to adhere to an earlier Enforcement Notice issued on March 11, 2024.
The company did not implement key measures designed to safeguard the data of its clients.
The lack of a proper notification mechanism to inform data subjects when their data rights were affected.
This omission directly contravenes Section 29 of the Data Protection Act, which ensures individuals are kept in the loop about their personal data and any potential breaches.
The watchdog also pointed out the insurer’s failure to limit the collection of personal data strictly to the necessary scope for specific purposes.
Without these technical and organizational measures in place, Trident exposed itself and its clients to the risk of data misuse.
In addition to the data protection breaches, Trident also fell short of establishing an internal complaints mechanism—a requirement under the Data Protection Act.
This system is essential for addressing any grievances or concerns raised by individuals regarding their personal data.
Without it, data subjects were left without a means to seek redress, undermining their ability to protect their data rights.
Kassait also emphasized that the company had not provided evidence that its staff had undergone proper data protection training.
Under the Act, employees who handle sensitive personal data are required to be well-versed in the rules to ensure compliance.
As if these issues weren’t enough, Trident Insurance was also flagged for operating without a data controller or processor permit, a fundamental legal requirement for any organization managing personal data.
The absence of this permit adds another layer to the firm’s non-compliance woes.
This fine is a critical reminder that adherence to data protection laws is not optional—especially in industries handling sensitive personal data.
Companies must stay ahead of the curve by implementing comprehensive compliance frameworks to avoid penalties like these.
