Workplace Privacy Law Compliance Challenges

#Dataprotectionlaws place a clear responsibility on the Controller, not only to comply, but to demonstrate compliance. This is the true meaning of "#Accountability". A recent case offers a powerful reminder of what this expectation looks like in practice. In the incident, three employees were suddenly locked out of their company laptops. IT vendors reset credentials, scanned devices and servers, and even changed administrative passwords as a precaution. Although no malware was found, later investigations revealed something far more significant: an unauthorised actor had accessed the organisation’s backend system, exposing the personal data of 336,759 individuals. - The critical finding? The organisation had only an #external-facing privacy policy. There were no internal processes, no documented data‑handling practices, no complaint‑handling procedures, and no employee guidance. Statements such as “We have implemented procedures for data destruction” existed publicly but internally, no such procedures existed. What was communicated externally became an empty promise. The commission reiterated a key principle: An organisation does not meet the Accountability Obligation merely by publishing a privacy policy. It must be backed by documented internal policies, controls, and practices that employees actually follow. The gaps didn’t stop there. The organisation held large volumes of #sensitive #personaldata but had: - No security review of its servers - No contractual clauses defining vendor responsibilities - No vendor oversight - An outdated, unsupported server (Windows Server 2012) - No MFA and weak password controls Even though IT operations were outsourced, the organisation remained the Controller and therefore responsible. Where vendors handle personal data, the Protection Obligation requires clear #written #contracts, defined responsibilities, and active oversight, not blind reliance. Accountability is not a document. It is a #demonstrable set of actions, controls, and governance practices. Privacy Notices may speak to customers but internal processes and security controls prove whether an #organization truly lives up to them. As we prepare for #DPDP Act compliance, it’s essential that we build procedural clarity through well‑defined policies, procedures, SOPs, and any other documentation required to demonstrate compliance in practice. Equally important is ensuring that these documents don’t merely sit on a shared drive they must be socialised, embedded, and evangelised across teams, so that even the last person in the process chain understands their role and responsibilities. True compliance is not about documentation alone, but about making sure the organisation breathes it, follows it, and lives it every day. #DPDPAct #DataProtection #PrivacyCompliance #AccountabilityInAction #DataGovernance #PrivacyByDesign #ComplianceCulture #DataSecurity #ResponsibleDataUse #PrivacyAwareness #GovernanceMatters #SOPsThatWork

The question of the week (again!) we keep getting. What does the latest $1.35M fine from the CPPA ordered against the nation’s largest rural lifestyle retailer, Tractor Supply Company, mean for us? It’s the largest fine issued in the Agency’s history, marking the first major enforcement action focused on privacy notices and job applicant rights, not just consumer data. Here's what companies can learn from the issued to-do list:   ❗ Implement corrective measures, including scanning digital properties and maintaining a full and current inventory of tracking technologies ❗ Honor do not sell/share requests and opt-outs ❗ Ensure symmetry of choice in cookie consent mechanisms ❗ Review/update privacy notices for consumers, employees, and applicants ❗ Notify all employees/job applicants by email about updates to relevant privacy notices ❗ Launch CCPA training program ❗ Get vendor contracts in order ❗ Post consumer privacy request metrics on its website for five years ❗ Annual executive compliance certifications for four years ❗ Implement/maintain a program to monitor processing of consumers' requests to opt-out of sale/sharing ❗ Conduct annual website/mobile apps review to identify third parties receiving personal information collected through tracking technologies.   What exactly went wrong? 🚫 Failed to provide adequate privacy notices to consumers and job applicants 🚫 Did not honor opt-out requests submitted through its website or respect Global Privacy Control (GPC) signals. 🚫 Shared personal data with other companies without proper contractual safeguards. Most important - what should companies do? ✔️ Update consumer, employee, and job applicant privacy notices. ✔️ Maintain a live data inventory to track personal information, systems, and tracking technologies (Note: this is your proof of compliance when regulators come knocking) ✔️ Establish a cookie governance program, including systematic tracking of all pixels/cookies/trackers, oversight of vendors, and contractual compliance status. ✔️ Monitor and test cookie consent technologies (including Do Not Sell Links and GPC). YOU ARE RESPONSIBLE if they’re not working as expected, not third parties. ✔️ Audit third-party vendor and AdTech contracts to ensure vendors include appropriate privacy protections. ✔️ Test the privacy rights processes and train employees. The era of checkbox compliance is long gone. This case shows that regulators demand that company privacy programs are fully operational and in working order.   Not only are regulators watching, they’re also taking consumer complaints seriously and actively enforcing with BIG FINES. Where to start? Read your privacy notice, test your privacy rights process and those cookie consent banners. Don't be the latest site where NONE of their privacy links worked. 😕 ♻️ Share our carousel to help other privacy pros 👇

I’ve spoken with hundreds of companies looking to expand into the EU. Typically, we see privacy leaders address 7 key challenges for the GDPR: 𝟏/ 𝐀𝐩𝐩𝐨𝐢𝐧𝐭𝐢𝐧𝐠 𝐚𝐧 𝐄𝐔 𝐫𝐞𝐩𝐫𝐞𝐬𝐞𝐧𝐭𝐚𝐭𝐢𝐯𝐞. Companies without an EU office likely need to appoint a local representative—many don’t realize this until late in the process, causing delays. 𝟐/ 𝐃𝐒𝐑 𝐫𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐭𝐢𝐦𝐞𝐬 𝐚𝐫𝐞 𝐭𝐢𝐠𝐡𝐭. GDPR requires companies to respond to Data Subject Requests (DSRs) within one month. Many privacy leaders say limited data visibility makes meeting this deadline a challenge. 𝟑/ 𝐃𝐚𝐭𝐚 𝐏𝐫𝐨𝐜𝐞𝐬𝐬𝐢𝐧𝐠 𝐀𝐠𝐫𝐞𝐞𝐦𝐞𝐧𝐭𝐬 (𝐃𝐏𝐀𝐬) 𝐧𝐞𝐞𝐝 𝐮𝐩𝐝𝐚𝐭𝐢𝐧𝐠. Vendors processing EU personal data must have a DPA that meets GDPR requirements. Many privacy leaders may discover their existing agreements don’t meet today’s standards. 𝟒/ 𝐂𝐫𝐨𝐬𝐬-𝐛𝐨𝐫𝐝𝐞𝐫 𝐝𝐚𝐭𝐚 𝐭𝐫𝐚𝐧𝐬𝐟𝐞𝐫𝐬 𝐚𝐫𝐞 𝐜𝐨𝐦𝐩𝐥𝐞𝐱. Transferring EU customer data outside the region requires safeguards like Standard Contractual Clauses (SCCs). Many are re-evaluating their approach after recent enforcement actions. 𝟓/ 𝐃𝐚𝐭𝐚 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐈𝐦𝐩𝐚𝐜𝐭 𝐀𝐬𝐬𝐞𝐬𝐬𝐦𝐞𝐧𝐭𝐬 (𝐃𝐏𝐈𝐀𝐬) 𝐚𝐫𝐞 𝐜𝐫𝐮𝐜𝐢𝐚𝐥. Companies processing large-scale personal data are tackling DPIAs earlier in their expansion process to avoid surprises. 𝟔/ 𝐀 𝐝𝐚𝐭𝐚 𝐛𝐫𝐞𝐚𝐜𝐡 𝐫𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐩𝐥𝐚𝐧 𝐢𝐬 𝐧𝐨𝐧-𝐧𝐞𝐠𝐨𝐭𝐢𝐚𝐛𝐥𝐞. GDPR requires companies to report data breaches within 72 hours. Privacy teams are prioritizing incident response planning before expansion—not after. 𝟕/ 𝐃𝐏𝐎𝐬 𝐚𝐫𝐞𝐧’𝐭 𝐨𝐩𝐭𝐢𝐨𝐧𝐚𝐥 𝐮𝐧𝐝𝐞𝐫 𝐆𝐃𝐏𝐑. Companies processing large volumes of personal data must appoint a Data Protection Officer (DPO). Privacy leaders debate whether to outsource this role for independence or keep it in-house for better business alignment. What’s been the biggest challenge in GDPR for your team? cc: Andy Dale, Justin Olsson, Megan Niedermeyer #Privacy #Security #Legal #GDPR  

📌 Employee Data under GDPR vs. CCPA: When Privacy Enters the Workplace Not all personal data belongs to customers. What about employees? Whether you're running HR for a European startup or a California tech firm, privacy law has plenty to say about the people behind the screen. Let’s break it down 👇 🇪🇺 GDPR: Full Rights for Employees In the EU, employees are fully-fledged data subjects - just like consumers. They enjoy the full suite of rights: ✅ Access to personnel files ✅ Rectification of errors ✅ Erasure (in some cases) ✅ Right to object - when processing (e.g. monitoring/profiling) is based on legitimate interest ✅ DPIAs - required when processing is high risk (e.g. surveillance, biometrics) 🧠 Consent? Not ideal. Per Recital 43, consent is unlikely to be freely given in situations of power imbalance - like between an employer and an employee. → Employers should rely on legal obligation or legitimate interest, with safeguards. 🧪 Example: A German company uses facial recognition to track attendance. This biometric data triggers a DPIA, requires a valid legal basis, and additional safeguards. 💡 Bottom Line: In Europe, workplace privacy is an extension of fundamental rights. Employers must justify why and how they process employee data. 🇺🇸 CCPA: Employees as Consumers California’s CCPA includes employees, contractors, and job applicants under the term “consumer.” This means California employers must now uphold: 📋 Right to know what’s collected 🧽 Right to delete (with exceptions) 🛠️ Right to correct 🚫 Right to opt out of sale/sharing 🛑 Right to limit use of sensitive personal info ⚠️ Key points: – No formal DPIA requirement – Consent is still valid in many cases – No specific rules yet on employee surveillance, though broader CCPA rules apply 🧪 Example: A California employer tracks geolocation via mobile app. This may count as sensitive personal info, and employees could limit its secondary use. 💡 Bottom Line: California now extends privacy rights to employees - but within a consumer rights framework, not a fundamental rights regime. 🎯 The Core Difference GDPR → Rights-based, principle-heavy, accountability-focused CCPA → Consumer-centric, flexible, still evolving 🌍 What This Says About Privacy Culture 🇪🇺 “An employee is a rights-holder - regardless of role.” 🇺🇸 “An employee is a consumer - now entitled to more transparency and control.” Same desk. Different philosophies. 👇 Want a follow-up on: 🔹 Vendor risk - how third-party liability plays out under GDPR vs. CCPA? 🔹 What businesses need to consider before EU-U.S. data transfers? #GDPR #CCPA #CPRA #EmployeeData #WorkplacePrivacy #HRCompliance #CIPPE #CIPPUS #PrivacyProfessional #EUUSPrivacySeries #DataRights #GlobalPrivacy #LinkedInLearning #InfoSec #DataProtection

𝐃𝐏𝐃𝐏 𝐢𝐬 𝐧𝐨𝐭 𝐚 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐥𝐚𝐰. 𝐈𝐭 𝐢𝐬 𝐚 𝐝𝐚𝐭𝐚 𝐚𝐫𝐜𝐡𝐢𝐭𝐞𝐜𝐭𝐮𝐫𝐞 𝐫𝐞𝐟𝐨𝐫𝐦. Last Saturday morning, I joined Akash Agrawal for a session with the ISB Alumni Association (Delhi NCR Chapter) on India’s Digital Personal Data Protection (DPDP) Act. One observation stayed with me. For a law that will reshape how every organisation handles personal data, the leadership attention it deserves remains modest. This mirrors what I am seeing across industry conversations: many organisations still view DPDP as a distant legal development rather than an imminent operating-model shift. Historically, regulatory urgency in India has accelerated after the first visible enforcement actions. DPDP is unlikely to be different. Three implementation realities that stood out in discussion: 1. Purpose comes before consent The Act does not require consent for everything. It requires processing to be anchored to a clear lawful ground. Purpose → determines → lawful ground → determines → retention. If purpose is unclear, consent will not rescue the processing. 2. Liability cannot be outsourced You may outsource processing to vendors, platforms or SaaS tools. You cannot outsource fiduciary responsibility. Under DPDP, the regulatory lens remains on the Data Fiduciary. 3. Employee data is the hidden risk zone Many organisations still rely on: • WhatsApp sharing • personal email exchanges • unrestricted internal access • legacy HR data retention These everyday practices are structurally incompatible with DPDP’s purpose-linked and access-controlled model. The transition window is shorter than it appears Rules were notified in November 2025. Indicative enforcement is expected around May 2027. For most organisations, this is one redesign cycle, not a gradual evolution. The real takeaway DPDP compliance will not be achieved through privacy policies, consent banners, or contract clauses alone. It will be achieved by redesigning how data is collected, accessed, retained and deleted inside the organisation. DPDP is ultimately an operating-model change. If your organisation has not yet mapped its personal data flows, purposes and retention logic, you are already behind the implementation curve. #DPDPAct #DPDP #DataProtection #DataGovernance #Privacy #DigitalIndia #AIGovernance #ISBAlumni #ISB

🚀 𝐄𝐌𝐏𝐋𝐎𝐘𝐌𝐄𝐍𝐓 𝐀𝐍𝐃 𝐀𝐈: 𝐍𝐄𝐖 𝐀𝐔𝐒𝐓𝐑𝐀𝐋𝐈𝐀𝐍 𝐑𝐄𝐆𝐔𝐋𝐀𝐓𝐎𝐑𝐘 𝐑𝐄𝐏𝐎𝐑𝐓🚀 AI is already reshaping our lives. One of the most profound transformations is happening in the workplace. AI is changing how we do our jobs—and soon, it will change which jobs exist at all. Some roles will disappear, while new ones emerge. Naturally, unions are concerned—not just about job losses, but about mental health, workplace safety, and the risks of unregulated AI adoption. They have been vocal in demanding that workers be at the centre of AI adoption decisions. We are at a crossroads: how do we balance AI-driven productivity gains with the impact on workers? 📢 The House Standing Committee on Employment, Education and Training has released a report on the digital transformation of workplaces, examining the rapid rise of automated decision-making and machine learning in employment. 107 pages of insights, challenges, and, crucially, 21 recommendations. There's a lot in there, but some key details include: 📌 Regulating AI in employment – The report recommends that AI used in employment decisions (such as hiring and termination) be classified as high-risk, ensuring stronger oversight and safeguards against unfair or biased outcomes. 📌 Strengthening worker privacy protections – It's clear the current privacy laws fail to protect workers’ privacy. At the same time, the Fair Work Act does not contain dedicated privacy protections. The report recommends: 🔹 Banning high-risk uses of workers data, such as providing it to AI developers. 🔹 Prohibiting the sale to third parties of workers’ personal data. 🔹 Requiring transparency in workplace surveillance and data use. 🔹 Empowering the Fair Work Commission to handle privacy-related complaints. 📌 Ensuring worker consultation on AI adoption – Employers should be obligated to consult workers throughout AI adoption, ensuring that new technologies are implemented fairly and do not unfairly disadvantage employees. 📌 Mandating independent AI audits – Government audits of AI are recommended to monitor bias, fairness, and compliance, ensuring AI decisions meet ethical and legal standards. The industrial relations fire has long been burning between unions, employees, and employers—and AI is accelerant. We must strike the balance between AI adoption and worker protections. The employee records exemption leaves many workers without real privacy protections. If AI is to be used fairly in workplaces, reforms here will be just as important as AI-specific regulation. It's inevitable that many workers will be impacted by the AI revolution, but get policies right—and Australia wins. Support AI-driven innovation while ensuring retraining, transparency, and fairness. Get it wrong—and we risk exacerbating job insecurity, discrimination, and workplace inequality - we all lose. #AI #FutureOfWork #Privacy #CyberSecurity #ArtificialIntelligence #EmploymentLaw #DigitalTransformation #AIRegulation

Most new privacy professionals with fresh CIPP certifications are unprepared for this conversation "We want to track what customers look at on our website and send them targeted emails about those products. That’s fine since they’re already our customers, right?" You know the legal framework. You understand GDPR. You passed your certification. But now you're facing a room of marketing stakeholders who need answers that help them do their jobs. Knowledge tells you: This involves processing personal data for marketing - need to check lawful basis, likely legitimate interests with balance test, plus consider ePrivacy rules for tracking. Judgment asks: Does this specific use case make sense? → What exactly are they tracking? Page views or detailed behavior? → What does “personalization” mean here, recommendations or aggressive targeting? → What did customers expect when signing up? → Can they easily opt out? → Is this helpful to the customer or just to marketing? The legal answer is the same. The practical approach varies completely. This gap isn’t discussed enough in privacy education. We learn the "what" and "why" in certification programs, but day-to-day privacy work is all about the "when" and "how." → When to push back vs. find creative workarounds → How to get buy-in without a budget or authority → When "perfect" compliance isn’t realistic—and what to do instead → How to speak business language while holding privacy lines Many privacy professionals struggle here because we're: → Waiting for perfect info before acting → Speaking only in compliance terms → Afraid to make the wrong call and get blamed But here’s the reality: Judgment comes from experience and imperfect action beats perfect paralysis. The most effective privacy professionals aren’t those who memorize every regulation. They’re the ones who navigate gray areas and keep the business moving. Real examples of knowledge vs. judgment: → The Marketing Automation Dilemma Knowledge: Needs lawful basis, tracking consent, LI balancing test Judgment: Start with product category suggestions, include opt-out, test customer response before expanding → The Vendor Assessment Crisis Knowledge: DPA + security questionnaire needed Judgment: Vendor handles minimal data, go live now with essentials, full review in parallel → The Data Retention Debate Knowledge: Delete data when no longer needed Judgment: Tier retention by sensitivity/business value with review points, not a one-size policy Certifications teach you to spot problems. Experience teaches you to solve them. What’s the biggest gap you’ve faced between privacy theory and real-world practice? P.S. If you’re feeling this tension, you’re right on track. This isn’t a flaw in your education. It’s the start of real expertise. The most effective privacy professionals I know all went through this same shift.

Privacy is in the details, not the declarations! We often hear, “This call is being recorded and by attending the meeting you consent to such recording. But does that statement meet the notice and consent requirements under the Data Protection Act? That question came alive in ODPC's determination in Andrew Alston vs Liquid Telecom Kenya. Which offers timely lessons for organisations relying on legitimate interest as a lawful basis for processing. The Data Commissioner rightly observed that to use legitimate interest as a lawful badis, an organisation must demonstrate that no less intrusive method exists to achieve the same purpose. Here are a few lessons for organizations: 📌Legitimate interest is not a free pass. It requires a documented balancing test showing why the processing is necessary, proportionate, and the least intrusive option is not available. Without that, the lawful basis becomes shaky at best. The Data Commissioner further observed that a simple notification for example, on Zoom or Teams does not meet the transparency obligations under Section 29 of the DPA. Transparency requires meaningful information, including, the purpose of processing, how long the data will be kept, and how data subjects can exercise their rights. 📌Communication is part of compliance. Where a data subject exercises their rights such as the right to erasure, any decision to decline must be clearly communicated. Silence or inaction can amount to non-compliance. 📌 Cross-border transfers deserve closer scrutiny. Beyond identifying a lawful mechanism, organisations must ensure the transfer aligns with the sensitivity of the data involved and the lawful basis applied. That said, another aspect worth deeper reflection was the cross-border data transfer between Liquid Kenya and Liquid Mauritius. From my reading, this is an area that should have been more closely examined by the ODPC. Specifically to determine whether a valid Binding Corporate Rule (BCR) existed to facilitate the transfer, and what lawful basis was relied on. For instance, could the recordings have contained elements that meet the definition of sensitive personal data, thereby requiring consent for transfer? Or was the transfer perhaps linked to the performance of a contract? These nuances matter because they shape the compliance posture of multinational operations. #dataprotection #dataprivacy #compliance

𝐆𝐃𝐏𝐑 𝐕𝐢𝐨𝐥𝐚𝐭𝐢𝐨𝐧𝐬 𝐂𝐚𝐧 𝐍𝐨𝐰 𝐀𝐦𝐨𝐮𝐧𝐭 𝐭𝐨 𝐔𝐧𝐟𝐚𝐢𝐫 𝐂𝐨𝐦𝐩𝐞𝐭𝐢𝐭𝐢𝐨𝐧: 𝐀 𝐆𝐚𝐦𝐞-𝐂𝐡𝐚𝐧𝐠𝐢𝐧𝐠 𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐦𝐞𝐧𝐭 𝐟𝐨𝐫 𝐁𝐮𝐬𝐢𝐧𝐞𝐬𝐬𝐞𝐬 A recent judgment by the Court of Justice of the European Union (CJEU) has dramatically expanded the potential consequences of violating GDPR. It's no longer simply about administrative fines or compliance burdens—now, misuse of personal data can also amount to actionable unfair competition, directly empowering competitors to take legal steps. 📌 Why is this significant? Until now, GDPR compliance was mostly seen as an internal legal and compliance matter—a cost rather than a strategic opportunity. Businesses often considered privacy rules primarily in terms of avoiding fines from data protection authorities. However, this new development shifts the landscape completely: companies misusing personal data could face lawsuits from their competitors, not just regulators. Imagine a scenario where a business unlawfully leverages user data—collected without adequate transparency or explicit consent—to gain commercial insights, better-targeted marketing, or improved customer acquisition. Such unlawful data use clearly provides an unfair competitive edge, disadvantaging competitors who diligently comply with GDPR. Under this recent CJEU ruling, those GDPR-compliant competitors now have a powerful legal tool: they can sue for unfair competition, demanding restoration of fair market conditions and potentially significant compensation for damages incurred. 📌 Strategic Implications This ruling makes GDPR compliance an essential strategic asset rather than merely a regulatory obligation. Companies investing in rigorous data protection practices not only avoid regulatory fines but also gain a competitive weapon against rivals who take shortcuts on privacy compliance. Moreover, businesses must now reconsider their entire data management strategy. The stakes are significantly higher, as non-compliance exposes them not only to regulatory penalties but also costly litigation initiated by competitors who feel commercially harmed by such practices. 📌 What should businesses do next? 1️⃣ Conduct thorough reviews of data collection processes to ensure transparency and consent. 2️⃣ Integrate data protection deeply into their competitive strategy and risk assessment. 3️⃣ Monitor competitors’ practices actively to ensure fair competition. What do you think about this new development? #GDPR #PrivacyCompliance #Ecommerce #DigitalMarketing #UnfairCompetition #LegalUpdate #DataProtection

Another ODPC Blow: Solar Panda Kenya Ordered to Pay KES 500,000 for Data Privacy Breach Another major decision from the Office of the Data Protection Commissioner (ODPC) highlights the increasing enforcement of Kenya’s Data Protection Act, 2019. In Lawrence M’impwi Kirima v. Solar Panda Company Kenya Ltd, the ODPC found the company liable for using a former employee’s image for commercial marketing without consent, resulting in a KES 500,000 compensation order. This case serves as a wake-up call for businesses handling personal data. Here are the key lessons every company should take seriously: 1. Consent is King in Data Processing Kenyan law is clear, you cannot use someone’s personal data, including their image, for commercial purposes without their express consent. Even if an employee previously worked for you, that does not give automatic rights over their personal data. 2. The Burden of Proof Lies with Businesses Under the Data Protection Act, 2019, it’s not enough to assume consent. The data controller (business) must provide clear proof that valid consent was obtained before using personal data. If you can’t prove it, you risk legal action and fines. 3. Employee and Customer Data Requires Clear Agreements Businesses must ensure that contracts and agreements: ✅ Explicitly state how personal data (including photos) will be used. ✅ Include updated consent clauses for compliance with data protection laws. ✅ Are regularly reviewed to align with evolving legal standards. 4. Non-Compliance Can Be Costly! With a KES 500K penalty, this case reinforces the fact that data breaches and non-compliance will lead to financial loss and reputational damage. More ODPC enforcement actions are coming, and businesses must prioritize compliance to avoid hefty fines. 5. It’s Time to Audit Your Data Protection Practices Companies must proactively: 🖋️ Review internal policies on data collection, storage, and usage. 🖋️ Implement proper consent mechanisms for employees and customers. 🖋️ Train staff on data protection laws to avoid violations. 🖋️ Engage legal experts to ensure full compliance with the Data Protection Act. Final Thought: If your business is collecting, storing, or using personal data, you cannot afford to ignore Kenya’s data protection laws. Avoid lawsuits, fines, and reputational damage by ensuring compliance today! Need guidance on Data Protection Compliance? Reach out to Mbuchi & Associates Advocates for expert legal support. #DataProtection #PrivacyLaws #KenyaLaw #LegalCompliance #ODPC #DataPrivacy #MbuchiLegalInsights