Meet the expert: Reena Shah to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Reena Shah is Regional Senior Data Privacy Counsel at M-KOPA. A seasoned legal, data privacy, governance risk and compliance professional, Reena has worked across 26 countries in sub-Saharan Africa over the past 15 years.

Prior to her current role, Reena was Regional Senior Legal Advisor, Compliance Officer, Data Protection Officer and Diversity Equity & Inclusion Ambassador for Nestlé with direct responsibility for 18 jurisdictions.

Reena Shah appears exclusively at PrivSec Global to discuss the data protection’s evolving regulatory landscape across Africa.

Below, she answers questions on her professional journey and the themes of her PrivSec Global session.

Could you briefly describe your career pathway so far?

In the past 15 years, I have had the opportunity to work across more than 25 sub-Saharan African countries. I spent 10 of these years working in the FMCG industry for Nestlé, refining my experience as a legal, data privacy and governance, risk and compliance professional. I have since moved to the fintech space, joining M-KOPA as their Senior Data Privacy Counsel.

I was fortunate enough to enter the data privacy space in the early days of the GDPR. There, I found another way to merge my passion for fostering a compliance culture with the strategy of the business. Being a naturally studious person, I decided to get certified with the IAPP as a Certified Information Privacy Manager and as a Governance, Risk and Compliance expert with the ICA, which, due to the increased use of data, especially in the financial technology industry, and the associated increase cyber risks aligned perfectly with my passion.

From time to time, I also teach various courses on data protection and privacy. I am also a non-executive director of the examination board of Tsaaro Academy.

What impact has the African Union Convention on Cyber Security and Personal Data Protection – aka the Malabo Convention – had on data protection and privacy across Africa?

The Malabo Convention is the first international instrument of its kind attempting to harmonise data protection and privacy laws across Africa.

It is a significant and positive step in the right direction. It is the only other binding regional treaty on data protection outside Europe, giving all Africans reason to be proud. It represents new opportunities for the development of digital rights in Africa.

Despite the digital divide on the continent, there is an exponential growth in digitisation and connectivity across the continent. African nations are competing in the international marketplace, so there is potential for abuse of the rights of its citizens.

However, with only 15 countries (out of 54) having adopted the Convention in nine years, it does shine a spotlight on the effectiveness of the Convention. I also have concerns as to the ability for African regulatory bodies to enforce its standards. Notwithstanding that 36 African countries have adopted data protection laws at a national level, which does indicate a desire to protect its citizens, African nations are battling other challenges, such as the economic toll of the post-pandemic world, rising debt and inflation being responded to by a rise in taxation consequently causing crippling costs of living.

Are data protection and privacy going to be a real priority for regulators? Will local business be able to afford the cost of compliance? It has also been suggested that the Malabo Convention is too western. So, if the aim the Africa Union, through the Malabo Convention, was to start a conversation about data privacy on the continent, it succeeded. The next step would be for African data privacy professionals to engage with each other and think of an African approach to data privacy.

What challenges must non-signatory countries overcome before they are able to satisfy the Malabo Convention’s standards?

The Malabo Convention seems to take a very broad-brush approach to multiple issues. It addresses data protection, e-commerce, cybercrime and cybersecurity. The uneven advancement in technology, internet penetration, financial technology and now artificial technology across Africa, indicates potential challenges for non-signatories to effectively implement the Convention’s provisions.

It also lacks clarity on its applicability to controllers or processors outside Africa. So, non-signatories may, like South Africa, opted to maintain their own local laws and regulations, while implementing many of the principles that best suit it.