Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.
Reena Shah is Regional Senior Data Privacy Counsel at M-KOPA. A seasoned legal, data privacy, governance risk and compliance professional, Reena has worked across 26 countries in sub-Saharan Africa over the past 15 years.
Prior to her current role, Reena was Regional Senior Legal Advisor, Compliance Officer, Data Protection Officer and Diversity Equity & Inclusion Ambassador for Nestlé with direct responsibility for 18 jurisdictions.
Below, she answers questions on her professional journey and the themes of her PrivSec Global session.
- Transformative changes: 36 out of 54 African countries embrace Data Protection Law - Day 1, Wednesday 29th November, 15:00 – 15:45 GMT
Could you briefly describe your career pathway so far?
In the past 15 years, I have had the opportunity to work across more than 25 sub-Saharan African countries. I spent 10 of these years working in the FMCG industry for Nestlé, refining my experience as a legal, data privacy and governance, risk and compliance professional. I have since moved to the fintech space, joining M-KOPA as their Senior Data Privacy Counsel.
I was fortunate enough to enter the data privacy space in the early days of the GDPR. There, I found another way to merge my passion for fostering a compliance culture with the strategy of the business. Being a naturally studious person, I decided to get certified with the IAPP as a Certified Information Privacy Manager and as a Governance, Risk and Compliance expert with the ICA, which, due to the increased use of data, especially in the financial technology industry, and the associated increase cyber risks aligned perfectly with my passion.
From time to time, I also teach various courses on data protection and privacy. I am also a non-executive director of the examination board of Tsaaro Academy.
What impact has the African Union Convention on Cyber Security and Personal Data Protection – aka the Malabo Convention – had on data protection and privacy across Africa?
The Malabo Convention is the first international instrument of its kind attempting to harmonise data protection and privacy laws across Africa.
It is a significant and positive step in the right direction. It is the only other binding regional treaty on data protection outside Europe, giving all Africans reason to be proud. It represents new opportunities for the development of digital rights in Africa.
Despite the digital divide on the continent, there is an exponential growth in digitisation and connectivity across the continent. African nations are competing in the international marketplace, so there is potential for abuse of the rights of its citizens.
However, with only 15 countries (out of 54) having adopted the Convention in nine years, it does shine a spotlight on the effectiveness of the Convention. I also have concerns as to the ability for African regulatory bodies to enforce its standards. Notwithstanding that 36 African countries have adopted data protection laws at a national level, which does indicate a desire to protect its citizens, African nations are battling other challenges, such as the economic toll of the post-pandemic world, rising debt and inflation being responded to by a rise in taxation consequently causing crippling costs of living.
Are data protection and privacy going to be a real priority for regulators? Will local business be able to afford the cost of compliance? It has also been suggested that the Malabo Convention is too western. So, if the aim the Africa Union, through the Malabo Convention, was to start a conversation about data privacy on the continent, it succeeded. The next step would be for African data privacy professionals to engage with each other and think of an African approach to data privacy.
What challenges must non-signatory countries overcome before they are able to satisfy the Malabo Convention’s standards?
The Malabo Convention seems to take a very broad-brush approach to multiple issues. It addresses data protection, e-commerce, cybercrime and cybersecurity. The uneven advancement in technology, internet penetration, financial technology and now artificial technology across Africa, indicates potential challenges for non-signatories to effectively implement the Convention’s provisions.
It also lacks clarity on its applicability to controllers or processors outside Africa. So, non-signatories may, like South Africa, opted to maintain their own local laws and regulations, while implementing many of the principles that best suit it.
African countries are continuing to strengthen data protection legal and regulatory frameworks. To date, 36 out of 54 African countries have data protection laws and/or regulations.
Sixteen countries have signed the African Union Convention on Cyber Security and Personal Data Protection adopted on 27 June 2014 (“Malabo Convention”) and thirteen countries have ratified it, the latest being Niger. 2022 was also a year of unprecedented enforcement.
Are we at a turning point for data protection regulation across Africa?
Get to the heart of the conversation at this exclusive PrivSec Global session.
Also on the panel:
- Olusegun Oyesanya, Legal Counsel & DPO, Renmoney Microfinance Bank
- Mercy Wafula, Data Protection and Privacy Professional - Financial Services Sector
- Mohammed Embaby, Group Data Protection & Privacy Officer, Boubyan Bank
Session: Transformative changes: 36 out of 54 African countries embrace Data Protection Law
Time: 15:00 – 15:45 GMT
Date: Wednesday 29 November 2023
Discover more at PrivSec Global
As regulation gets stricter – and data and tech become more crucial – it’s increasingly clear that the skills required in each of these areas are not only connected, but inseparable.
Exclusively at PrivSec Global on 29 & 30 November 2023, industry leaders, academics and subject-matter experts unite to explore these skills and the central role they play in privacy, security and GRC.