Legal and Regulatory Compliance

Legal and Regulatory Compliance

Audits and regulations can have a significant impact on a business. We want to support our customers on their compliance journey and enable them to meet stringent requirements with technology.

Soja is a highly customizable platform.  Organizations can adapt to unique industry or business requirements, as illustrated with this list of common compliance standards.

Data Residency

Legal or regulatory requirements are imposed on organizations that handle sensitive personal information. Depending on the country or industry such as governmental institutions, medical industries, or education, some organizations are required to store their visitor data locally.

How does Soja help you comply?

Soja offers the choice between a Hosting your data on our Cloud or on your own on Premise Server. We are committed to data protection and are working on growing the list of data centers to provide the flexibility you need.

Kenya Private Security Regulation Act 2016

The PSRA Act 2016 Provide for the regulation of the private security industry and a framework for cooperation with National Security Organs.

Section 48 of the Act touches on the power of security officers/guards to record and temporarily withhold identification documents. This section is paraphrased herein

  1. Power to record and temporarily withhold identification documents

  • At the entry of any premises or property within the jurisdiction and care of a private security service provider, a security guard or a security officer, the private security service provider, security guard or officer may request a person to identify themselves, register the time of entrance and exit of the person and retain temporarily the identification document of such person.
  • (2) The identification document surrendered under subsection (1) shall—
  1. be given back to the person at the point of exit;
  2. not be used for any other purpose save for identification;
  3. be kept in safe custody until given back to the owner.
  • Subject to section 45, any information obtained in the registration of a person under subsection shall not be used for any other purposes save for identification of the person.

  • The Cabinet Secretary shall make regulations generally to give full effect to this section.

  • A person who violates any provision of this section or any regulations made thereunder commits an offence and shall be liable on conviction to a penalty prescribed under this Act.

How Soja Will Help You comply

While part 2 (b) if this act is explicit on the need to use the information collected from visitors for security purposes only, It is hard to secure the same if the data is recorded on physical books.

One logbook page can accommodate Up to 50 entries, your 50th visitor for that day can easily see and pry on the personal data of the 49 visitors that came before him/her. This makes it difficult to secure your data and prevent its misuse: “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing.”

Paper logbooks cannot be encrypted nor can they be password protected. Also, a paper visitors’ book can be misplaced or stolen

Data collected using is secured using standard encryption systems and can only be accessed by personnel with requisite credentials

Kenya Data Protection Bill 2018

The principal object of the Bill is to protect personal data collected, used or stored by both private and public entities. The Bill recognizes that data protection forms part and parcel of the expectation of the right to privacy. It provides for the legal framework for protection of a person’s privacy in instances where personal information is collected, stored, used or processed by another person.

Once enacted, the Bill will give effect to Article 31(c) and Article 31(d) of the Constitution of Kenya 2010, which guarantees the right of every person not to have “information relating to their family or private affairs unnecessarily required or revealed” and the right not to have “the privacy of their communications infringed”. In keeping with Article 24 (1) of the Constitution, the Bill provides that the right to privacy will be limited for the following purposes: protection of national security and public interest, prosecution of a crime, protection of the rights of others and for compliance with an obligation imposed by law.

Apart from the Constitution, the current laws regulating the collection and use of personal data in Kenya include; the Access to Information Act (No. 31 of 2016), the Kenya Information and Communications Act (No. 2 of 1998) and the Consumer Protection Act (No. 46 of 2012).

The Bill follows the path taken by the European Union in enacting the General Data Protection Regulation (“the GDPR”) in May 2018 and makes Kenya the second country in East Africa after Rwanda to have a legislation dedicated to data protection. The GDPR has been hailed as the first step in checking the excesses of powerful technology firms that collect vast amounts of personal data from their users for commercial or competitive advantage.

Kenyan firms that transact business with any of the 28-member EU bloc countries will be expected to adapt to the new legislation. Any company that processes the data of an EU member state citizen or temporary resident, has employees based in an EU member state, offers goods or services in an EU member state or has a partnership with an EU business falls under the law.

Specific compliance areas with regards to the bill are similar to those highlighted under GDPR. The major Point to note is that the visitors Book as it exists in its current form is not compliant to the provisions of the Bill and the Act when it becomes law.


General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) is a new comprehensive data law that is designed to protect and empower all EU citizens data privacy and reshape the way organizations across the region approach data security. It requires companies and governments to be transparent about the personal data they process, have a legitimate purpose for their use of that data, and exercise care in handling data. The GDPR replaces the Data Protection Directive 95/46/EC and is intended to update and harmonize data privacy laws across Europe, with an effective date of May 25, 2018.

The GDPR defines “personal data” as any information related to a natural person (‘Data Subject’) that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, or a computer IP address. The new regulation significantly expands the privacy rights granted to individuals and places many new obligations on organizations that process personal information.

Organizations can collect personal data only for specified, explicit, and legitimate purposes. To do so, they need to have the data subject’s consent to process personal data. The consent needs to be clear, specific, freely given, and can be revoked at any point in time. It is the organization’s responsibility to be able to prove that they have obtained valid consent and when given, it only relates to the specific relationship.


With the GDPR all EU citizens hold the following data privacy rights:

Data access: the controller must provide the data subject with information, including the specific data processed, the purposes of the processing, and the other parties with whom such data has been shared

Data correction: the data subject can request the data to be modified if incomplete or inaccurate

Restriction of processing: the individual can limit the processing to a specific purpose or party

Data portability: the person has the right to request a copy of their personal data from the controller

Right to be forgotten: the data subject can revoke consent and request for data to be erased

Right to object: the individual can deny data processing, especially if the purpose is related to marketing

Does the GDPR apply to your organization?

The new regulation reaches beyond physical borders and applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

Transparency and consent: clearly communicate to the visitor what and why data is captured. Add notifications during the sign-in process and customize the confirmation emails.

Data collection: comply with data minimization and control what personal data is collected by customizing the sign-in flow. Determine mandatory fields, capture consent, or skip questions for a specific type of visitor.

Data processing: Prevent unauthorized access to data with customizable user roles. Increase control over who can view, modify, export, or delete personal data within an organization.

Data requests and transfers: Support an individual’s rights to access and portability with the consolidated repository. Use the search functionality in the digital log book to access and export data for transfers, if requested.

Data deletion: If requested, visitor data can be deleted to support a data subject’s “right to be forgotten”. Store data only for as long as it is needed to fulfill the original purpose.

Incident response: Leverage the consolidated view and respond quickly in case of an incident or data breach. Affected data subjects can be immediately notified.

Data residency: Choose to store visitor data in either Soja Cloud Server or on premise to meet mandates of storing and processing data in a certain country or region.

How will Soja help you comply?

The GDPR rules out the paper log book. To be able to protect and manage personal data effectively, organizations are required to shift to a more sophisticated solution. Soja offers a secure and customizable platform and data processing framework to support customers with establishing controls and procedures in data management. With a cloud-based visitor management platform, organizations have more control and can establish procedures to comply with the new regulation.