Kenya's Data Protection Act: What Your Business Must Do Now

The Kenya Data Protection Act 2019 and its 2022 Regulations is not a future concern. It is present-tense law with functioning enforcement machinery, real penalties, and a regulator — the Office of the Data Protection Commissioner (ODPC) — that has demonstrated it will use its powers.

Organisations that are still treating the DPA as a bureaucratic exercise or deferring compliance to "when we have more time" are accumulating liability that could prove existential.

What the penalties actually look like

The core obligations

Registration

Data controllers and processors must register with the ODPC at odpc.go.ke. Registration requires submitting details of your processing activities, categories of personal data, retention periods, and security measures. It must be renewed and updated when processing activities change materially.

Lawful basis for processing

You must have a lawful basis for every type of personal data processing. The DPA recognises consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. If you rely on consent, it must be freely given, specific, informed, and unambiguous.

Data subject rights

Individuals have enforceable rights: access, correction, objection, deletion, and breach notification. Your organisation must have processes to receive and respond to these requests within required timeframes.

Breach notification

If a breach is likely to result in risk to individuals, you must notify the ODPC within 72 hours of becoming aware of the breach. Affected individuals must also be notified without undue delay.

Data protection by design

New systems involving personal data must be designed with data protection built in — not bolted on. This means privacy impact assessments, data minimisation, and privacy-protective default settings.

The practical compliance checklist

• Register with the ODPCRequired for all data controllers and processors operating in or affecting Kenya.
• Appoint a Data Protection Officer (DPO)Required for organisations processing large volumes or sensitive personal data.
• Complete a data mapping exerciseDocument every category of personal data: where it comes from, how it's used, where stored, who has access, when deleted.
• Review and document your lawful basesFor each type of processing, identify and document the lawful basis. Review consent mechanisms.
• Publish a compliant Privacy NoticeMust state who you are, what data you collect, why, how long you keep it, and what data subjects' rights are.
• Establish a data subject rights processDefine how requests for access, correction, deletion, and objection will be received and fulfilled.
• Create a breach response procedureDocument the incident response process including the 72-hour ODPC notification trigger.
• Review third-party data processing agreementsVendors processing personal data on your behalf must have a formal DPA-compliant data processing agreement.
• Implement a retention and deletion policyDefine retention periods for all data categories and implement processes to delete or anonymise expired data.
• Deliver staff trainingEveryone who handles personal data must understand their obligations. Training must be documented.

Special considerations for SACCOs and financial institutions

Kenya's financial sector faces a layered compliance environment. SACCOs must comply with the DPA, the AML/CTF framework (including goAML registration with the FRC), and applicable CBK guidance. The FATF grey-listing of Kenya in 2024 has significantly intensified regulatory scrutiny. Cybersecurity controls — access management, audit logging, incident response — are now effectively part of the AML compliance picture.