The Kenya Data Protection Act came into force in 2019, and regulatory enforcement has steadily increased as the Office of the Data Protection Commissioner expands its audit and investigation activities.

Who Does the DPA Apply To?

The DPA applies to any organisation that collects, processes, stores, or shares personal data of Kenyan residents — regardless of where the organisation is based. This includes businesses, NGOs, government entities, and even individuals who process data in a professional context. If you have customer records, employee files, or even a simple mailing list, the DPA applies to you.

Key Obligations Under the DPA

1. Registration with the ODPC

Any organisation acting as a "data controller" or "data processor" must register with the ODPC. Many organisations have failed to do this and are therefore already in violation before any other issue is considered. Registration can be done online through the ODPC's portal.

2. Lawful Basis for Processing

You must have a valid legal basis for every type of personal data you collect and process. The most common bases are: consent, performance of a contract, legal obligation, and legitimate interests. Blanket "by using our service you consent to everything" clauses are not sufficient.

3. Privacy Notices

Every individual whose data you collect must be informed — at the time of collection — about what data is being collected, why it's being collected, how long it will be kept, and who it will be shared with. This must be communicated in plain, accessible language.

4. Data Subject Rights

Individuals have the right to access their data, correct it, request deletion, and object to processing. You must have processes in place to respond to these requests within 21 days. We routinely find organisations that have no mechanism at all to handle these requests.

5. Data Security

The DPA requires "appropriate technical and organisational measures" to protect personal data. What does "appropriate" mean? It depends on the sensitivity of the data, but at minimum it includes access controls, encryption of sensitive data, staff training, and incident response procedures.

6. Data Breach Notification

If a data breach occurs that is likely to result in a "high risk" to individuals, organisations must notify the ODPC within 72 hours of becoming aware of the breach and may also need to notify affected individuals. This is a tight window that many organisations are unprepared for.

Most Common DPA Gaps We FindNo ODPC registration · No documented privacy notices · No process for data subject rights requests · Personal data stored in unencrypted spreadsheets · No breach notification procedure · Excessive data retention (keeping data "just in case")

Penalties for Non-Compliance

The DPA provides for fines of up to KES 3 million or up to 10 years imprisonment for serious violations. For data controllers and processors, the ODPC can impose administrative penalties and issue enforcement notices that require immediate remediation. In many cases, reputational damage from a publicised breach can be far more costly than regulatory penalties.

Getting Compliant: A Pragmatic Approach

Full DPA compliance doesn't happen overnight, but meaningful progress can be made quickly:

DPA Compliance AssessmentsNetcaru offers DPA compliance gap assessments that identify your specific obligations, current gaps, and a prioritised remediation plan. Our assessments are specifically tailored for Kenyan regulatory requirements.