Kenya Data Protection Act: What Your Business Must Have in Place

The Office of the Data Protection Commissioner began issuing enforcement notices in 2024. The grace period is over. Every business that collects, stores, or processes personal data from individuals in Kenya must comply with the Data Protection Act of 2019 or face penalties of up to KES 5 million or 1% of annual turnover.

Compliance is not optional, and it is not limited to tech companies. If your business keeps a customer database, employee records, or even a mailing list, the DPA applies to you.

Registration with the ODPC

Every data controller and data processor must register with the ODPC. A data controller determines why and how personal data is processed. A data processor handles data on behalf of a controller.

If your business collects customer names, phone numbers, email addresses, or identification documents for any purpose, you are a data controller. If you outsource payroll processing, your payroll provider is a data processor. Both must register.

Registration is done through the ODPC online portal. The fee depends on your business category. Sole proprietors pay KES 2,000. Companies pay between KES 5,000 and KES 10,000 depending on turnover. The registration is annual.

The Privacy Policy Requirement

The DPA requires every data controller to publish a privacy policy that explains what data you collect, why you collect it, how you store it, who you share it with, and how long you keep it. Vague statements like "we may share your data with third parties" do not satisfy the Act.

Your privacy policy must be specific. Name the categories of personal data you collect. State the lawful basis for processing under Section 30 of the DPA. Identify each third party by name or category. Specify your retention periods in months or years, not in undefined terms.

Display the privacy policy prominently on your website. For physical businesses, make a printed copy available to customers who ask.

Consent Mechanisms

Consent under the DPA must be informed, specific, and freely given. Pre-checked boxes do not constitute valid consent. Bundled consent, where a customer must agree to data processing as a condition of receiving an unrelated service, fails the "freely given" test.

Build consent collection into your customer intake process. A separate, clearly worded consent form that explains exactly what the customer is agreeing to, presented before data collection begins, satisfies the requirement. Keep records of when each customer gave consent and what they consented to.

Customers have the right to withdraw consent at any time. Your systems must support this operationally: you need a process for receiving withdrawal requests and acting on them within a reasonable timeframe.

Data Security Controls

Section 41 of the DPA requires appropriate technical and organizational measures to protect personal data. "Appropriate" depends on the sensitivity of the data and the size of your organization, but some controls are baseline requirements for every business.

Restrict access to personal data to employees who need it for their job functions. Use password-protected systems. Implement regular backups. If you store data electronically, use encryption for sensitive records. If you store physical files, secure them in locked cabinets with controlled access.

Document your security measures in writing. An auditor or the ODPC will ask for this documentation during any review. The document does not need to be elaborate, but it must exist and it must reflect what you actually do.

Data Subject Rights

Individuals have the right to access their personal data, correct inaccurate data, and request deletion of data that is no longer necessary. Your business must respond to these requests within 30 days.

Designate a person or team responsible for handling data subject requests. Train them on the process: verify the identity of the requester, locate the relevant data, provide or correct it within the deadline. Log every request and every response.

Failure to respond to a data subject request within the statutory period is itself a violation of the DPA, regardless of whether the underlying data handling was lawful.

Breach Notification

If personal data in your custody is accessed, disclosed, or lost without authorization, you must notify the ODPC within 72 hours of becoming aware of the breach. If the breach poses a risk to the affected individuals, you must also notify them directly.

Prepare a breach response plan before a breach occurs. The plan should cover who to notify internally, how to assess the scope and severity of the breach, how to contact the ODPC, and how to communicate with affected individuals. Waiting until a breach happens to figure out the process costs precious hours from your 72-hour window.