The Data Protection Act 2019 imposes significant obligations on any organisation that collects or processes personal data in Kenya. Here is what your business needs to know to stay compliant.
Kenya's Data Protection Act 2019 (DPA) came into force in November 2019 and represents a landmark shift in how organisations must handle personal data. Whether you are a small business, a tech startup, or a multinational corporation operating in Kenya, the DPA applies to you if you collect, process, or store the personal data of individuals in Kenya.
Key Obligations Under the DPA
Organisations that fall within the scope of the DPA must:
- Register as a data controller or data processor with the Office of the Data Protection Commissioner (ODPC)
- Collect personal data only for specified, explicit, and legitimate purposes
- Implement appropriate technical and organisational security measures
- Appoint a Data Protection Officer (DPO) where required
- Honour data subject rights including the right to access, rectification, erasure, and objection to processing
- Notify the ODPC of data breaches within 72 hours of discovery
Cross-Border Data Transfers
The DPA restricts the transfer of personal data outside Kenya unless the destination country provides an adequate level of protection, or appropriate safeguards — such as standard contractual clauses — are in place. Organisations with international operations must review their data flows carefully.
Penalties for Non-Compliance
Violations of the DPA can attract significant financial penalties and reputational consequences. The ODPC has the power to issue enforcement notices, impose fines, and refer serious matters for criminal prosecution.
How Hassan & Taragon Can Help
Our Data Protection practice provides end-to-end compliance support including ODPC registration, data protection audits, policy drafting, DPA training, and ongoing advisory. Contact us at office@htadvocates.com to discuss your compliance requirements.