Data Protection Act 2019 Kenya obligations under the Data Protection Act No. 24 of 2019 apply to every business that collects, stores, or uses personal data in or from Kenya. The Office of the Data Protection Commissioner (ODPC) is actively enforcing it. Penalties include administrative fines of up to KES 5,000,000 or 1 percent of annual turnover, whichever is lower, a notably more lenient cap than the GDPR-style “whichever is higher” formula many businesses assume Kenya’s law follows, though a more lenient cap does not mean a small one for a large undertaking, since 1 percent of a substantial annual turnover figure can still be a significant sum even capped below the alternative.
Data Protection Act 2019 Kenya: What Counts as Personal Data?
Personal data is any information relating to an identified or identifiable natural person: names, ID numbers, phone numbers, email addresses, location data, IP addresses, biometric data, financial records, employment records, and any other information that can identify a specific individual. Sensitive personal data, race, health status, genetic or biometric data, sexual orientation, and criminal convictions among the categories listed, attracts additional protections and generally requires a stronger legal basis before processing.
Step 1: Register With the ODPC, If You Meet the Threshold
Registration is completed through the ODPC online portal, providing details about the categories of personal data processed, the purposes of processing, and the security measures in place. Businesses with annual turnover below KES 5 million and fewer than 10 employees are exempt from mandatory registration, unless they process sensitive personal data or operate in a regulated sector such as financial services, healthcare, or telecommunications, in which case the exemption does not apply regardless of size. A small business should not assume the exemption covers it automatically simply because it is small; if it processes sensitive data or operates in one of the carved-out sectors, registration is still required.
Step 2: Conduct a Data Audit
A data audit maps what personal data your business collects, where it is stored, who has access, how long it is retained, and whether it is shared with third parties. Common findings include collecting more data than necessary, violating the data minimisation principle; retaining data too long, violating storage limitation; sharing data with third-party processors without adequate contractual safeguards in place, falling short of the accountability and security obligations set out in the Act’s core data protection principles under Section 25 and the technical and organisational measures required under Section 41; and using personal data beyond the purposes originally stated to the data subject. A data audit also frequently surfaces “shadow” processing that no one consciously decided to start, a marketing tool quietly collecting more fields than the business actually uses, for instance, which is exactly the kind of finding that only surfaces once someone is actually mapping the data flows rather than relying on what the business assumes it collects.
Step 3: Publish a Privacy Policy
The DPA 2019 requires data controllers to inform individuals about how their data will be processed. A compliant privacy policy must state who the data controller is, what data is collected and why, the legal basis for processing, who data may be shared with, how long it will be retained, the individual’s rights, and how to exercise them. A privacy policy copied from a foreign template and never adapted to actually describe the business’s real data practices is a common and easily identified compliance gap, since the policy’s content should match what the business actually does, not what a generic template assumes a typical business does.
Step 4: Establish a Lawful Basis for Processing
Every instance of processing personal data needs a lawful basis under the Act, which can include the data subject’s consent, necessity for performing a contract with the data subject, compliance with a legal obligation, protecting vital interests, or the legitimate interests of the controller balanced against the data subject’s rights. Many businesses over-rely on consent when another basis, such as contractual necessity or legitimate interest, would be more appropriate and more robust, since consent can be withdrawn at any time, while a properly established alternative basis does not depend on the data subject’s ongoing willingness to agree.
Step 5: Secure the Data
Section 41 of the DPA 2019 requires appropriate technical and organisational measures: encryption in transit and at rest, access controls and authentication, regular backups, staff training, and a documented data breach response plan. That response plan matters in practice because of Section 43’s specific timeline: where personal data has been accessed or acquired by an unauthorised person and there is a real risk of harm to the data subject, the controller must notify the Data Commissioner without delay, and in any event within seventy-two hours of becoming aware of the breach. A business without a rehearsed breach response process is far more likely to miss that seventy-two-hour window than one that has actually tested its plan before an incident occurs.
Data Protection Act 2019 Kenya: Step 6, Data Subject Requests
Individuals have rights to access, correct, delete, restrict, port, and object to processing of their personal data. Your business must have a documented process for receiving, verifying, and responding to these requests within the Act’s prescribed timelines, including a way to verify the requester is actually the data subject they claim to be before disclosing or acting on personal data, since responding to a request from the wrong person is itself a data protection failure rather than a defence against one.
Data Protection Act 2019 Kenya: Consequences of Non-Compliance
The ODPC can issue compliance and enforcement notices, impose administrative fines under Section 63 of up to KES 5,000,000 or 1 percent of annual turnover, whichever is lower, and refer matters for criminal prosecution where the conduct also constitutes an offence under the Act. Beyond regulatory penalties, non-compliance exposes a business to civil compensation claims from affected data subjects under Section 65 and to reputational damage from a publicised breach or enforcement action, a cost that frequently exceeds the regulatory fine itself once customer trust and media coverage are factored in. A right of appeal to the High Court exists against any administrative action the Data Commissioner takes, including enforcement and penalty notices, so a business facing a contested finding is not without recourse, though that appeal route does not pause the practical reputational consequences of the underlying enforcement action becoming public in the meantime.
Our team advises businesses on DPA 2019 compliance, ODPC registration, data audits, privacy policy drafting, and breach response planning. Contact us for a consultation if you need your data protection compliance position assessed against the Act’s actual requirements rather than a generic checklist.
Need help with data protection compliance? Contact Data Protection Act 2019 Kenya compliance is not a one-time exercise, the ODPC has signalled that ongoing audits will target businesses that registered but failed to implement adequate data governance frameworks thereafter. Any business that processes the personal data of Kenyan residents, including cloud-hosted SaaS platforms and offshore entities with a Kenyan customer base, falls within the territorial scope of the Act and must comply with the full suite of obligations, including breach notification within 72 hours of discovery.Clay & Associates Advocates. Book a Consultation
Related reading: FinTech Regulation in Kenya | Anti-Money Laundering Obligations
For tailored legal advice on this matter, speak with our regulatory and compliance advisory services team at Clay & Associates Advocates. We advise businesses and individuals across Kenya on Regulatory and Compliance Advisory matters from our offices at Nextgen Mall, Nairobi. | ODPC Enforcement in Kenya






