Doing more with less: Privacy challenges in emerging markets

Marc Marrero, Senior Consultant
February 2024

iStock-1145910735 - low

Emerging markets face particular challenges when implanting privacy laws. Just ask Immaculate Kassait, who as Kenya’s first Data Protection Commissioner in 2019, had no staff and only a limited budget to implement Kenya’s Data Protection Act in a country of 53 million people.

Utilising Jamaica’s recent implementation of the Jamaican Data Protection Act (JDPA) from December 2023 as an example, this article explores five key challenges common to the emerging market privacy law implementation landscape as well potential solutions. These five challenges, taken together, require companies to undertake a broader response to emerging market privacy legislation.

  1. General privacy awareness is lower across the population

Before the GDPR went live across Europe, multiple regulators launched year-long awareness raising exercises, educating individuals on basic principles of privacy and the GDPR. In emerging markets, the regulator may lack the funds for a country-wide privacy awareness campaign, and, in the event that they have sufficient funds, may lack the staff to pull it off across multiple media channels (print, television, radio, social media, etc…)

The upshot for a company implementing an emerging market privacy law is that their stakeholders do not usually understand privacy, leading to an uphill battle to raise awareness and educate data subjects before the legislation goes live. Given this lack of resources, emerging market regulators are essentially forced to push responsibility for privacy awareness onto the private sector. Therefore, financial services, healthcare, insurers, and the other largest players within key sectors of the economy indirectly bear the cost of raising privacy awareness for much of the general population.

Solution: With advance planning, leverage industry bodies and groups to help raise awareness for their members. Use the scale of industry groups to raise general population awareness, avoiding each company trying to go it alone.

  1. Unforeseen consequences given minimal industry consultation

It is rare for an emerging market regulator to effectively seek consultation across multiple industry groups before issuing regulatory guidance. In Jamaica’s case, this led to three unforeseen consequences:

  1. Given a lack of formal consultation with the insurance industry, the JDPA does not include a provision for the processing of sensitive personal data in the insurance claims underwriting process. The JDPA provides for processing under consent (which can be withdrawn at any time), and for medical personnel to process sensitive personal data, but not for the processing by underwriters and associated third party claim processors. This lack of provision threatens to undermine a functioning insurance market, which is key to emerging market growth.
  2. As currently written, the JDPA requires nearly every data controller to submit a Record of Processing Activity (RoPA) yearly, and every DPIA needs to be reviewed and submitted to the regulator on a yearly basis. Operationally, this is a huge burden on SMEs, especially given the fact that it is not feasible for the Jamaican regulator to analyse each year over 69,000 RoPAs from active companies in Jamaica, let alone all of their DPIAs.
  3. Draft regulations precluded a single Data Protection Officer (DPO) from serving as DPO for multiple Data Controllers. While this was removed from the final regulation, 69,000 + DPOs in an economy the size of Jamaica would have taken years to train, hindering compliance with the JDPA.[i]

Solution: Engage early with your data protection regulator. Request in person meetings, invite your regulator to meet industry bodies and trade associations to discuss common areas of concern before the guidance is finalised. Raise specific points at these meetings, with the intention of resolving them before the relevant privacy law is enacted.

  1. Implementing regulations

In emerging markets, implementing regulations and guidance can be issued as late as the day before a law’s effective enactment date. Under such circumstances, there is not sufficient time to implement new guidance before the go-live date.

Solution: Ensure your privacy program is sufficiently flexible to accommodate last minute regulatory change. You can do so by building a principles-based program, established using the highest standard of privacy across your organisation’s footprint. Solution 1 and 2 above can also help mitigate last minute surprises.

  1. Technical Issues

Given budget limitations and resource constraints, regulators may attempt to use technology to fulfil key requirements of the law. Technology may be the only way to implement certain privacy laws as written, but even technology requires resources to develop and manage.

Using Jamaica as an example, all Jamaican Data Controllers were required to register online by 1 December, 2023. However the registration portal experienced technical issues, leading to a last minute 6month delay to 1 May, 2024 before registration enforcement.

Solution: Ensure all registration related requirements are centralised and in electronic form, with strict version control. Use best in class templates from the European Data Protection Board (EDPB) or European regulators such as France’s Commission Nationale de L'informatique et des Libertés (CNIL) or the UK Information Commissioner’s Office (ICO) if needed to store the data until technical solutions can be implemented locally to register.

  1. Lack of crucial guidance

Comprehensive privacy laws interact with a multitude of other laws, requiring regulatory guidance. In many emerging markets, such guidance is pending or lacking for years after the launch of a privacy law. One notable example relevant to Jamaica, Brazil and other emerging markets is the definition of which “equivalent countries” personal data can be transferred to without additional safeguards? Over two years after implementation of its Lei Geral de Proteção de Dados (LGPD) Brazil indicated that it was beginning to consult on an equivalent countries list, but it will likely be four or more years from LGPD’s go-live date before that list is finalised and approved by the regulator.

Solution: Utilise EDPB or EU regulator guidance (for Europe, Africa, and Americas) or Singapore or Hong Kong non-binding guidance (Asia) as placeholder rules until such time as regulators issue specific guidance.

The overall lesson when implementing an emerging market privacy program is to expect a non-linear implementation timeline given the likely low levels of regulatory resourcing. The key is therefore to build a flexible, principles-based privacy program, utilising existing guidance from strong regional data protection regulators. Such a program can then be iterated as needed in the future based on additional guidance.

Such iteration will be key, as shown in Kenya, where Immaculate Kassait and her team in the Office of the Data Protection Commissioner have issued significant fines since 2019, while quickly building one of the most respected privacy regulators on the continent. Companies of all sizes need to be prepared for uncertainty and a high pace of change when operating privacy programmes in emerging markets.





[i] source: Jamaica Ministry of Industry, Investment and Commerce

Act now and speak to us about your privacy requirements

Start a conversation about how Privacy Made Practical® can benefit your business.

Click here to contact us.

Back to top