Navigating Data Privacy, AI, and Digital Trust in the Financial Sector
In an era where data is the heart of the financial industry, the role of a Data Protection Officer has never been more critical. The delicate balance between leveraging customer data for innovation and upholding the highest standards of privacy and security is a central challenge for banks worldwide. We sat down with Daphne Njeri, the Data Protection Officer at the National Bank of Kenya, to discuss her unique career journey, the evolving regulatory landscape, and the strategic imperatives for corporate leaders in a data-driven world. In this candid interview, Daphne shares her expertise on everything from conducting Data Protection Impact Assessments for AI-driven products to fostering a company-wide culture of data privacy. Her insights offer a roadmap for financial institutions seeking to build a foundation of digital trust in a rapidly changing technological and regulatory environment.
Q&A with Daphne Njeri
Q. Can you tell us about your career path that led you to specialize in data protection? What motivated you to choose this field?
A. The lecturer who taught me ICT Law School challenged us to contextualize how technology works so we can imagine how laws should be drafted. This sparked a little interest in technology regulation but it was not until my human rights class that I was really interested in data privacy, first as a human right and much later in the context of how businesses should incorporate privacy as they do business. After a few years in my traditional legal practice (law school, bar exams, pupillage and law firm) I decided to resign from my position and pursue data protection specialization. I was motivated to choose data protection because I had interest in the intersection of law and technology and at the time, Kenya had passed the Data Protection Act, 2019 and had just established the Office of the Data Protection Commissioner (ODPC). At the time there was a small number of people working in data protection and institutions were trying to understand the law and how to be compliant with the law. Once I got immersed in the ecosystem, I have not looked back. It has been an interesting field with different challenges every day.
Q. The banking sector relies heavily on data. From a strategic perspective, how do leaders balance business objectives such as customer acquisition and product development with the need to ensure strict data privacy and protection?
A. As one of the most regulated industries, the banking sector is required by law to collect certain information intended to properly identify their customer i.e., Know Your Customer (KYC requirement). The data privacy laws only dictate how to safeguard personal data while a bank or any other business tries to achieve its commercial objectives. Leaders should understand the boundaries of the data protection law, which are very clear when it comes to direct marketing, onboarding customers and development of new products. Consulting with the Data Protection Officer before launching new product or a new business process allows data protection by design and by default to be incorporated at the very beginning of the project and thus ensuring strict compliance with the data protection laws.
Q. In your view, what is the value of collaboration among banks to standardize data protection practices? What are some of the key issues that such industry-wide working groups typically address?
A. Collaboration is quite important, especially for stakeholders in the same industry. Banking sector is highly sensitive and highly regulated and data protection being a new-ish law that adds to the other laws in the banking sector, it is very important to discuss with other peers issues that affect the industry and how to address them. Collaboration also helps in raising collective issues faced when implementing the law to the data protection authority who will assist addressing the issue or interpreting the law and thus more compliance levels for the industry.
Among the issues addressed by working groups include cross border transfer of data especially where banking institutions traverse different countries or continents, standardization and best practice for privacy compliance, sector-specific challenges, advocacy and policy influence for regulations affecting them.
Q. If a financial institution were to introduce a new digital product that uses AI to analyze customer spending habits, what would be the key steps and best practices for conducting a Data Protection Impact Assessment (DPIA) for that project?
A. The first and most important thing is to identify the need for a DPIA, and if under the Kenyan Data Protection Act, 2019, the requirements are set under section 31. In this case the need for the DPIA will be because customers (data subjects) are subjected to automated decision making.
Once the need for a DPIA is established, one needs to describe the processing activities and this will answer questions like what personal data is collected, how the personal data will be processed (the analysis of the spending habits), why the processing is necessary, who the data subjects will be in the processing activities and the data flows therein and the relationship with vendors if any.
The next step is to assess the necessity and proportionality of the processing activity (use of AI to analyse customer spending activities). In this part, one justifies why they need to use AI to analyze the spending habits of the customers and ask yourself questions like: is AI the most effective and least intrusive method? Are there alternative approaches to achieve the same objective? Is the processing proportionate to the intended benefits?
Once the above questions are answered and the processing activity is justified, one needs to identify and assess the privacy risks that will arise in the processing activity. In assessing the risks, you will assign likelihood of the risks to occur and the severity score to each of the risks.
Once the risks are identified, one needs to identify the measures to mitigate the risks by implementing the relevant safeguards such as data minimization, bias detection and correction, transparent privacy notices, human oversight, among others.
Then the DPO needs to consult with internal stakeholders such as legal, IT, compliance, the business unit and also external stakeholders including the data protection authorities and consultants to determine levels of compliance and also provide advise or oversight.
The complete DPIA is then filed with the data protection authority (ODPC in Kenya) sixty (60) days prior to the start of the processing activity. The ODPC will give advice or ask for further information before giving a go ahead with the processing activity.
The DPIA is then kept as a live document where new risks identified are mitigated against.
Q. When business priorities and data privacy principles clash, how do you approach that conversation at the executive level and what strategies have you found most effective in finding middle ground?
A. The most effective approach is to frame privacy as a strategic enabler as opposed to a constraint by highlighting how it builds customer trust, mitigates regulatory and reputational risks and supports growth in the long term. It is really important to align privacy recommendations with the company’s goals, using risk-based language that resonates with executives such as quantified exposure, potential fines and reputational damage. One needs to offer practical, privacy enhancing alternatives such as data minimization, phased out rolls, consent-based models, transparency through proper privacy notices among others so that you shift the conversation from “no” to “how”.
Q. Privacy and AI regulation is evolving rapidly across Africa and globally. Which upcoming shifts should corporate leaders in the financial services sector be preparing for over the next two or three years?
A. When it comes to data privacy, the most vulnerable point is when financial institutions work with vendors or third parties who process personal data on their behalf. From majority of the privacy laws across Africa, the data controller (financial institution) is responsible for privacy compliance even when it works with the data processors (vendors). This means that in-house, a financial institution may be 100% compliant with privacy laws but will be held liable when the vendors are found non-compliant by the data protection authorities. It is really important that leaders evaluate the third parties they work with, especially the ones that deal with personal data collected by the financial institutions. Third party compliance and vendor management becomes a critical area when it comes to privacy.
On AI, in as much as most countries are preparing to have AI Regulations, financial institutions are bound by other laws when it comes to use of AI. The Kenyan Data Protection Act, 2019, for example sets conditions to be met before deployment of AI and this includes carrying out a Data Protection Impact Assessment, proper privacy notices among other requirements. In future, leaders should use best practice when it comes to use of AI in the financial services sector and be involved in policy advocacy as different countries draft AI Regulations.
Q. Platforms like GITEX play a significant role in bringing together industry leaders. From your experience, what role do such events play in shaping the conversation on digital trust, AI governance, and the future of financial services?
A. Platforms like GITEX bring together industry players in spaces that allow collaboration, dialogue and strategic alignment. Events held by GITEX are incubators for policy and techn adoption, allowing stakeholders to showcase emerging solutions, debate regulatory frameworks and also bridge consensus on ethical standards and responsible innovation. Emerging issues like privacy and security while using AI are discussed and thus leaders are able to bring up standards when creating new systems or using new technology.
Q. The banking sector works with many third-party vendors who handle sensitive data. What due diligence process do you recommend to ensure that all vendors comply with data protection regulations and uphold the highest security standards?
A. Banks should continue carrying out third-party risk assessments as they have always done, but this time, they should also pay attention to privacy compliance for the third parties. Vendors should demonstrate their compliance with data protection laws by indicating if they are registered with data protection authorities when required by law, they should have Data Protection & Privacy Polices and Privacy Notices where relevant, demonstrate that their employees have taken up data protection training to understand their role when handling personal data and when necessary the banks as data controllers should carry out privacy audits to ensure that the third-party vendors are compliant with privacy laws.
Q. Data protection is a company-wide responsibility. What strategies have you found most effective in fostering a culture of data privacy and raising awareness among non-technical employees?
A. One of the most effective strategy is to have leadership being a champion for privacy and embed it into company values and decision making. It becomes easier for the privacy team to spread the gospel of privacy compliance when the senior leadership has endorsed it.
When it comes to training on data protection, the privacy team should use clear and concise language and give relevant examples of privacy compliance and penalties issued for non-compliance. The privacy team can also issue company-wide communication through awareness campaigns, simplified guidelines and visual aids to explain concepts and what is expected of staff when it comes to privacy compliance.
Most importantly, the privacy team should create a safe environment for reporting incidents or asking questions to ensure that data protection becomes part of daily habits rather than a compliance check-box.
Q. For a professional who is just starting their journey as a Data Protection Officer in the financial services industry, what one piece of advice would you give them to help them succeed in a role that requires a blend of technical, legal, and communication skills?
A. My advise would be, as you understand the data protection laws, you also need to understand who financial services operate including the daily activities and the different data processing activities. Banks will work differently from fintechs and even from insurance companies and sometimes you will work at institution carrying out the three financial services as a group entity. This means that you will need to understand the three businesses before starting the journey of privacy compliance.
As you carry out the role as a Data Protection Officer, you also need to map your key stakeholders who will help you understand the technical part of the role or the legal part of the role. Departments like information security, IT risk, legal and compliance, procurement and corporate marketing & communications should be your allies helping you confirm technical measures are in place, resolve disputes touching on data privacy, carry out third party risk assessments and also communicate to staff on privacy compliance. The role can’t be done alone and also can’t also be performed from the Data Protection Officer’s desk. The Data Protection Officer needs to keep up with the business, the key internal and external stakeholders, as well as the developments in privacy laws around the world.
