GDPR compliance and statutory registration with national data protection authorities at Kasha Global, Inc

In Detail

1) Business Problem  with Context: As Kasha scaled operations across Rwanda, Kenya, and South Africa, it increasingly handled sensitive personal and health-related customer data. Despite strong growth, the company faced regulatory exposure:

• No formal registration with in-country data protection authorities.

• Growing volumes of PII (Personally Identifiable Information) and sensitive health data across systems.

• Increasing regulatory scrutiny due to cross-border operations.

• Heightened investor and partner due diligence expectations.

• Lack of documented governance frameworks and security controls.

Urgency: Failure to comply risked:

• Regulatory sanctions and fines

• Forced operational shutdowns

• Loss of customer trust

• Failed partnerships and funding efforts

• Compliance was no longer optional as it was foundational to scale.

2) Objective / Success Criteria

• Objectives;

  • Achieve formal registration with national data protection authorities:

    • ODPC (Office of the Data Protection Commissioner) - Kenya

    • NCSA (National Cyber Security Authority) - Rwanda

  • Align internal IT operations with GDPR principles.

  • Implement security controls consistent with ISO 27001.

  • Establish governance frameworks for data protection and access.

  • Demonstrate compliance readiness to leadership, regulators, and investors.

• Success Criteria;

  • Successful certification and registration in both countries.

  • Documented data protection and security policies in place.

  • Technical safeguards implemented across infrastructure.

  • Clear ownership of data protection responsibilities.

  • Audit-ready evidence repository.

3) My Role & Ownership: Program Owner with End-to-End Accountability. I personally:

• Defined the compliance roadmap.

• Led regulatory engagement and interpretation.

• Coordinated Legal, IT, Operations, and Executive leadership.

• Designed and implemented technical security controls.

• Drafted governance frameworks and policies.

• Prepared and submitted compliance documentation.

• Led internal systems evaluation, follow-ups, and certification processes.

This was a cross-functional regulatory program, not a checkbox exercise.

4) What I Did

• Conducted data mapping to identify PII and sensitive data flows.

• Classified Kasha as both Data Controller and Data Processor.

• Defined lawful bases for data processing per GDPR principles.

• Implemented MFA (2FA/2SA) across all critical systems.

• Enforced strong password policies organization-wide.

• Designed and implemented strict Role-Based Access Control (RBAC) using least-privilege principles.

• Enabled encryption for Data at rest (endpoint devices), and Data in transit (SSL/TLS on all web applications)

• Started a separate project on implementation of Remote device management

• Established data backup and recovery procedures.

• Drafted and enforced a Data protection policy, Access control policy, Incident response procedures and put in place a SIRT (Security Incident Response Team) with relavent stakeholders, drafted a comprehensive IT Policy, Acceptable use policies, among other policies.

• Coordinated with Legal to align contractual clauses.

• Registered with ODPC (Kenya) and NCSA (Rwanda).

• Managed follow-ups and evidence submission until certification.

5) Technical Depth

• Security & Privacy Controls

• Multi-Factor Authentication (MFA)

• Full disk encryption on endpoints

• TLS encryption across applications

• Centralized access management

• Device lifecycle management

• Backup & disaster recovery planning

• Governance Frameworks

• GDPR-aligned privacy principles

• ISO 27001-inspired security controls

• Documented policies and SOPs

• Incident escalation and reporting workflows

• Compliance Scope

• Customer data

• Employee data

• Vendor and partner data

• Cross-border data transfers

6) Results & Impact (Before vs After)

• Before

  • No formal regulatory registration.

  • Fragmented security practices.

  • No structured audit evidence.

  • Increased regulatory and investor risk.

  • Limited internal awareness of data protection responsibilities.

• After

  • Formal certification and registration in Kenya and Rwanda.

  • Hardened security posture across systems and devices.

  • Clear governance and ownership of data protection.

  • Increased trust from customers, partners, and investors.

  • Reduced regulatory and operational risk.

  • Strong audit readiness for future market expansion.

Strategic Outcome: Compliance became a competitive advantage, not a liability.

7) Challenges & How I Solved Them

• Slow Regulatory Response (Kenya ODPC): ODPC processes were immature and slow. The Solution was around Persistent follow-ups, Complete and proactive documentation, and Patience paired with structured escalation.

• Organizational Awareness Gaps: Non-technical teams lacked understanding of GDPR implications. The Solution was around Targeted awareness sessions, Simplified policies, and Clear accountability assignments.

• Cross-Border Compliance Complexity: Different interpretations across jurisdictions. The Solution was around building a core GDPR-aligned baseline, and Added jurisdiction-specific overlays.

8) What I’d Do Differently Next Time

• Start compliance alignment before market entry.

• Assign a formal DPO role earlier.

• Automate compliance evidence collection.

• Implement continuous compliance monitoring tools.

• Engage regulators earlier during expansion planning.