The Data Protection Act No. 24 of 2019 (DPA 2019) applies to every business in Kenya that collects, stores, or uses personal data. The Office of the Data Protection Commissioner (ODPC) is actively enforcing it. Penalties include fines of up to KES 5,000,000 or 1% of annual turnover, whichever is lower.

What Counts as Personal Data?

Personal data is any information relating to an identified or identifiable natural person: names, ID numbers, phone numbers, email addresses, location data, IP addresses, biometric data, financial records, employment records, and any other information that can identify a specific individual. Sensitive personal data (race, health status, genetic or biometric data, sexual orientation, criminal convictions) attracts additional protections and requires explicit consent or another specific legal basis.

Step 1: Register with the ODPC

Every data controller and data processor must register at the ODPC online portal. You must provide details about the categories of personal data processed, the purposes of processing, and the security measures in place.

Step 2: Conduct a Data Audit

A data audit maps what personal data your business collects, where it is stored, who has access, how long it is retained, and whether it is shared with third parties. Common findings include collecting more data than necessary (violating the data minimisation principle), retaining data too long (violating storage limitation), sharing data with third-party processors without data processing agreements (violating Section 31 of the DPA 2019), and using personal data beyond the purposes originally stated.

Step 3: Publish a Privacy Policy

The DPA 2019 requires data controllers to inform individuals about how their data will be processed. A compliant privacy policy must state who the data controller is, what data is collected and why, the legal basis for processing, who data may be shared with, how long it will be retained, the individual’s rights, and how to contact the controller.

Step 4: Implement Consent Mechanisms

Where consent is your legal basis for processing, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not constitute valid consent. However, consent is not the only basis available — the DPA 2019 also permits processing for contract performance, legal obligation, vital interests, public interest, or legitimate interests of the data controller. Many businesses over-rely on consent when another basis would be more appropriate.

Step 5: Secure the Data

Section 41 of the DPA 2019 requires appropriate technical and organisational measures: encryption in transit and at rest, access controls and authentication, regular backups, staff training, and a data breach response plan.

Step 6: Prepare for Data Subject Requests

Individuals have rights to access, correct, delete, restrict, port, and object to processing of their personal data. Your business must have a process for receiving, verifying, and responding to these requests within the Act’s prescribed timelines.

What Happens If You Do Not Comply?

The ODPC can issue compliance notices, impose administrative fines of up to KES 5,000,000 or 1% of annual turnover, and refer matters for criminal prosecution. Beyond regulatory penalties, non-compliance exposes your business to civil claims and reputational damage from a publicised data breach or enforcement action.

Our Regulatory & Compliance practice advises on DPA 2019 compliance programmes, ODPC registration, and data processing agreements. Contact us for a consultation.