Navigating Kenya's Data Protection Act: What Businesses Must Do Now

Kenya's Data Protection Act, 2019 (DPA) established the Office of the Data Protection Commissioner (ODPC) as the primary regulatory authority overseeing data privacy in the country. Since its commencement, the ODPC has issued guidelines, registered data controllers and processors, and begun enforcement activities.

The DPA applies to any organisation that collects, processes, or stores personal data of individuals in Kenya, regardless of whether the organisation itself is based in Kenya. This extra-territorial reach means that international companies serving Kenyan customers must also comply.

Recent amendments and subsidiary regulations have further clarified obligations around data breach notification, cross-border data transfers, and the rights of data subjects. Organisations that have not updated their practices since the Act's initial passage should conduct a fresh compliance assessment.

Registration with the ODPC is mandatory for all data controllers and data processors. Failure to register constitutes an offence and can attract significant penalties. Businesses must complete the registration process through the ODPC's online portal, providing details of the data they handle and the purposes for which it is processed.

Organisations must implement appropriate technical and organisational security measures to protect personal data. This includes encryption, access controls, regular security audits, and staff training on data handling procedures. The standard of protection must be proportionate to the sensitivity of the data.

Data subjects have extensive rights under the DPA, including the right to be informed, access their data, rectify inaccuracies, object to processing, and request deletion. Businesses must have processes in place to respond to these requests within the timeframes prescribed by law.

Transferring personal data outside Kenya is only permitted if the recipient country or organisation provides adequate data protection safeguards. The ODPC has issued guidance on what constitutes adequate protection, and organisations relying on cross-border transfers should review their arrangements carefully.

Standard contractual clauses, binding corporate rules, and explicit consent from data subjects are among the mechanisms that can be used to legitimise cross-border transfers. However, the specific requirements vary depending on the nature of the data and the destination country.

The ODPC has the power to conduct investigations, issue enforcement notices, and impose substantial fines for non-compliance. Penalties can include fines of up to KES 5 million or imprisonment of up to ten years for serious offences.

Beyond regulatory penalties, non-compliance with the DPA can expose businesses to civil liability from affected data subjects. Reputational damage from data breaches or privacy violations can also have significant commercial consequences. The message is clear: proactive compliance is both a legal obligation and a business imperative.