Effect of Data Minimization on Small Businesses

Dear Listers,


The onset of data minimization will have a great effect on small businesses
which rely on API’s to record and credit recurrent payments to the accounts
of their customers. An example is an estate agency which collects rent
through a till number and an API credits payments to rent accounts based on
the phone number. With the current masking on the number i.e. +2547xxxxx015
or the default +254700000000, the API will no longer know where to credit
the rent received via till. Another example is the Naivas Supermarket
Loyalty program which rewards loyalty points automatically to a customer
who pays for shopping via Lipa na MPESA. Going forward, this will not be

Not sure whether there is any workaround around this problem. I personally
think the data minimization should apply to generated till statements and
not to information shared at an API level since this affects how some
systems work. Or there should be a provision where businesses commit not to
share data collected through payments with third parties under any

At the very least, data minimization should happen at the person to person
level where MPESA allows me to know your three names just because I sent
you money.

Please share your thoughts.

Best Regards,

*Nick Ngatia*
Email <nick.ngatia@childrenyouth.org> *|* Facebook
<www.facebook.com/niccoswagg1> *|* *Twitter
**| LinkedIn
*Skype:* *nick.ngatia** |* *Phone:* *+25**4 (0) 711 42 2015*

*”Development Towards Sustainability is far too more important to leave it
to chance.”*

1 thought on “Effect of Data Minimization on Small Businesses

  1. On 04/06/2024 17.42, Twahir Hussein Kassim via KICTANet wrote:

    Loyalty cards with bar codes or QR codes would not cause a huge delay.

    How can one enforce compliance? What will be the resulting increase in
    administration costs? Will businesses be able to obtain data breach
    insurance to compensate those affected by data breaches?

    One can use a hash function (
    en.wikipedia.org/wiki/Hash_function ) to mask the telephone
    number. One would probably want to update the API to offer the
    possibility of adding a transaction reference number. Probably it would
    be easiest for such APIs to be openly developed, allowing easy
    incorporation of feedback. If only the telephone number is used, what
    happens when one changes telephone number or one has several telephone
    numbers that are used for mobile money? What happens if one uses an
    alternate money transfer mechanism such as bank transfer?

    For those that want to enroll in loyalty point programs, issuing a tag
    with a barcode/QR code or other similar marker that can be quickly
    scanned and can be attached to a keychain should work and be easy to

    Businesses may also be subject to data breaches even if there is a
    decision not to intentionally share data with third parties. Unlike
    banks where misuse of computer systems to transfer money is traceable,
    unauthorized data transfers are much more difficult to detect.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.