SecurePrivacy Logo

Kenyan Data Protection Act

View Law Text
Maximum Fine
KES 5M or 1% of revenue
Scope
National
Regulator
ODPC
Enacted
2019

Need Help with Kenyan Data Protection Act Compliance?

Get expert guidance on implementing Kenya's data protection requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Data Protection Act establishes comprehensive requirements for the protection of personal data in Kenya, enforced by the Office of the Data Protection Commissioner.

Key Facts

  • Enacted in 2019
  • Enforced by Office of the Data Protection Commissioner
  • Includes GDPR-like requirements

Key Principles

Lawfulness and Consent

Personal data must be processed lawfully and with proper authorization.

Requirements

  • Obtain valid consent
  • Identify legal basis
  • Document processing grounds
  • Regular compliance reviews
  • Maintain consent records

Examples

  • Consent mechanisms
  • Legal basis documentation
  • Processing records
  • Compliance reports

Transparency

Organizations must be transparent about their data processing activities.

Requirements

  • Clear privacy notices
  • Processing purpose disclosure
  • Data sharing information
  • Rights notification
  • Regular updates

Examples

  • Privacy policies
  • Data processing notices
  • Rights information
  • Communication records

Data Security

Implementation of appropriate security measures to protect personal data.

Requirements

  • Security risk assessments
  • Technical safeguards
  • Staff training
  • Incident response
  • Regular audits

Examples

  • Security protocols
  • Training programs
  • Incident plans
  • Audit reports

Compliance Requirements

Registration Requirements

Organizations must register with the Office of the Data Protection Commissioner.

Implementation Steps

  • Submit registration application
  • Document processing activities
  • Pay registration fees
  • Maintain registration status
  • Update when changes occur

Required Documentation

  • Registration certificates
  • Processing records
  • Payment receipts
  • Status updates
  • Change notifications

Data Protection Impact Assessment

Requirements for conducting DPIAs for high-risk processing.

Implementation Steps

  • Identify high-risk processing
  • Conduct assessment
  • Document findings
  • Implement recommendations
  • Regular reviews

Required Documentation

  • DPIA reports
  • Risk assessments
  • Mitigation plans
  • Implementation records
  • Review logs

International Transfer Requirements

Requirements for transferring personal data outside Kenya.

Implementation Steps

  • Assess recipient country adequacy
  • Implement safeguards
  • Obtain approvals
  • Document transfers
  • Monitor compliance

Required Documentation

  • Transfer assessments
  • Safeguard documentation
  • Approval records
  • Transfer logs
  • Monitoring reports

Enforcement & Penalties

Administrative Penalties

The Office of the Data Protection Commissioner can impose administrative penalties for violations.

Penalty Categories

Severe Violations
Up to KES 5M or 1% of revenue
For serious breaches of data protection requirements
Processing Violations
Up to KES 3M
For unauthorized processing of personal data
Registration Failures
Up to KES 1M
For failure to register or maintain registration

Example Cases

Hypothetical Case 1
KES 4M
2023 - Unauthorized data sharing with third parties
Hypothetical Case 2
KES 2M
2023 - Insufficient security measures leading to data breach

Criminal Penalties

Serious violations may result in criminal prosecution.

Penalty Categories

Intentional Violations
Up to KES 5M and imprisonment
For deliberate violations of the law
False Statements
Up to KES 3M
For providing false information to authorities
Obstruction
Up to KES 1M
For obstructing investigations

Example Cases

Hypothetical Case 3
KES 4.5M
2023 - Intentional exposure of sensitive personal data
Hypothetical Case 4
KES 2.5M
2023 - Repeated non-compliance with authority orders