Responsible data governance in Africa: Institutional gaps and capacity needs

Africa is quickly becoming the new data frontier in the face of continued increase in the deployment of digital technologies. A proportionate data governance ecosystem is, however, still lacking. The available governance ecosystem is characterised by a lack of relevant institutions or in most cases non-functional institutions for effective data governance implementation. As part of the bid to understand how to create a functional and responsible data governance ecosystem that can play a vital role in Africa's competitiveness in the global data economy, this report explored the questions; what are the institutional gaps impeding responsible and sustainable data governance in Africa and what are the peculiar institutional capacity needs of existing institutions? To answer these questions, we used a multidimensional research approach to study five African countries namely Nigeria, Morocco, Kenya, Mauritius and South Africa. In this study, we identified clear institutional gaps and capacity needs that require significant attention. The findings show that institutions that make or create data and monitor governance laws beyond data protection, that can generate evidence-based research for data governance and that can facilitate Findable, Accessible, Interoperable, Reusable (FAIR) data are lacking in Africa. They also demonstrated that whereas data protection regulations are gaining traction in Africa, most established institutions created to monitor compliance and enforcement are yet to operate independently of government control. This lack of independence grossly affects effectiveness at different levels. Furthermore, our findings show that both private and public data-driven entities that should apply data governance principles to their processing workflows are yet to establish data governance roles within their organisations. To understand institutional capacity needs, we studied established institutions for monitoring the compliance and enforcement of data protection regulations which are often called Data Protection Authorities (DPAs) in these countries. We identified that compliance and enforcement of data protection regulations remain low, and this is informed by a number of factors including; a lack of robust organisational culture built around the right people, non-functional systems and processes that support efficient data related policies for the right stakeholders, and a lack of enabling infrastructure to adequately respond to the views and needs of data stakeholders. The findings of this research show that for DPAs in Africa, lack of the right mix of relevant expertise, skills and knowledge (particularly technical and ethical skills), non-integration of contextual African values, lack of resources (including funding and technologies), lack of clear policy methodology, monitoring and enforcement plans and risk assessment approaches contribute to the existing inefficiency of data governance mechanism.