Blog

Protecting Your Business: A Corporate Guide to the Kenya Data Protection Act, 2019

This guide outlines your core obligations, the risks of non-compliance, and the immediate steps your organization must take to safeguard its reputation and bottom line.

In today’s digital economy, personal data is a critical asset. However, under the Kenya Data Protection Act, 2019 (DPA), it is also a significant liability if mishandled. The era of unregulated data collection in Kenya is over. With the Office of the Data Protection Commissioner (ODPC) actively enforcing compliance, data protection is no longer just an IT issue—it is a boardroom priority.

1. The Cost of Non-Compliance: A Real Business Risk

The DPA empowers the ODPC to impose severe penalties for breaches:

  • Fines: Up to KES 5 Million or 1% of your annual turnover, whichever is lower.
  • Enforcement Notices: Orders to stop processing data, effectively halting your business operations.
  • Reputational Damage: Loss of consumer trust can be far more costly than any regulatory fine.

Recent Enforcement Actions:

The ODPC has moved beyond warnings. Recent penalties against educational institutions (e.g., Roma School – KES 4.55M), hospitality venues (Casa Vera Lounge – KES 1.85M), and digital lenders (Whitepath – KES 5M) demonstrate that no sector is immune.

2. Are You a Data Controller or Processor?

Understanding your legal classification is the first step to compliance:

  • Data Controller: The entity that determines the purpose and means of processing personal data (e.g., an employer processing payroll, a bank handling customer accounts). You bear the primary liability.
  • Data Processor: An entity that processes data on behalf of a Controller (e.g., an outsourced payroll firm, a cloud storage provider). You must adhere to strict contractual and security obligations.

Your Mandatory Obligations

A. Registration with the ODPC

Registration is mandatory for most data controllers and processors.

  • Exemptions: Entities with an annual turnover below KES 5 Million and fewer than 10 employees are generally exempt.
  • Crucial Exception: You MUST register regardless of turnover/size if you process personal data for specific purposes, including:
  • Education & Health Care.
  • Financial Services & Fintech.
  • Hospitality & Transport.
  • Direct Marketing.

B. Data Protection Impact Assessments (DPIA)

Before launching any new product, service, or technology that poses a “high risk” to privacy, you must conduct a DPIA. This is mandatory for:

  • Large-scale processing of sensitive data (health, biometric, etc.).
  • Systematic monitoring of public areas (CCTV).
  • Use of new technologies or automated decision-making/profiling.

C. Breach Notification (The 72-Hour Rule)

In the event of a data breach (e.g., a hack, lost laptop, or accidental email leak), you have a strict statutory timeline:

  • Notify the ODPC within 72 hours of becoming aware of the breach.
  • Notify the Data Subject without delay if the breach poses a high risk to their rights (e.g., risk of identity theft).

4. The Rights of Your Data Subjects

Your customers and employees have enforceable rights. Your organization must have procedures to handle requests regarding:

  • Right to Access: Providing a copy of the data you hold.
  • Right to Erasure (“Right to be Forgotten”): Deleting data when it is no longer necessary.
  • Right to Object: Stopping the processing of data for direct marketing.

Advisory Note: Ignoring these requests is a common trigger for ODPC complaints and investigations.

5. Client Action Plan: 5 Steps to Mitigate Risk

To ensure your organization is compliant, we recommend the following immediate actions:

  1. Conduct a Data Audit: Map all personal data flows in your organization. You cannot protect what you do not know you have.
  2. Review Contracts: Ensure all agreements with third-party vendors (Processors) include mandatory data protection clauses.
  3. Update Privacy Policies: Your privacy notices must be transparent, detailing exactly what data is collected and why.
  4. Appoint a Data Protection Officer (DPO): While not mandatory for every SME, it is legally required if your core activities involve regular and systematic monitoring or large-scale processing of sensitive data.

Train Your Staff: Human error is the leading cause of data breaches. Regular training is your first line of defense.

Conclusion

Compliance with the Data Protection Act is not optional; it is a statutory duty. 

 

Tags: , ,

Leave a Reply