Discuss the role of the Office of the Data Protection Commissioner. Also, address a company that collects customer information and shares it without consent, and identify the violated law and suggested measures.

1) The company has violated the Data Protection Act, 2019 of Kenya. 2) This action is illegal under Kenyan ICT law, specifically the Data Protection Act, 2019, for several reasons: • Lack of Consent: The Act requires that personal data be processed lawfully, which includes obtaining explicit consent from the data subject before collecting or sharing their information. Sharing customer data with third parties without their consent is a direct violation of this principle. • Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes. Sharing data with third parties for purposes not originally disclosed or consented to by the customer violates the principle of purpose limitation. • Transparency: Data controllers must be transparent about how personal data is collected, processed, and shared. The company failed to inform customers that their data would be shared, thus lacking transparency. • Confidentiality and Integrity: Sharing personal data without authorization compromises the confidentiality and integrity of that data, as it exposes it to parties for whom it was not intended, potentially leading to misuse. 3) Three measures the company should implement to comply with data protection regulations are: • Obtain Explicit Consent: The company must clearly inform customers about the specific purposes for which their data will be collected and processed, including any sharing with third parties, and obtain their explicit, informed consent before any data collection or sharing occurs. This can be done through clear privacy notices and opt-in mechanisms. • Implement a Comprehensive Privacy Policy: Develop and publicly display a detailed privacy policy that outlines the types of data collected, the purposes of processing, data retention periods, security measures, and the rights of data subjects. This policy should be easily accessible and understandable to customers. • Establish Data Processing Agreements and Security Measures: If sharing data with third parties is necessary and consented to, the company must enter into legally binding data processing agreements with these parties, ensuring they also comply with data protection principles. Additionally, the company must implement robust technical and organizational security measures (e.g., encryption, access controls) to protect personal data from unauthorized access, disclosure, or loss.