Data protection act Kenya - all you need to know

The data protection act is an action taken by the government of Kenya to protect people's private data stored in computers and organizations' filing systems.

Let’s get a better understanding from our article down below as follows;

  • What purposes does data protection serve in Kenya?
  • Data protection regulation
  • Penalties for no-compliance
  • How to register for a data processing certificate in Kenya
  • What are the data subjects' rights?
  • Duties of data controllers and processors
  • Principles of data processing
  • Breach notification
  • Conclusion

The data protection act came into force in 2019, ultimately introducing various requirements and obligations to safeguard personal data. Subsequently, several guidelines on implementing those Acts' provisions were published. 

This data protection act of Kenya follows in the footsteps of the European Union (EU), in coming up with General Data Protection Regulations (GDPR) in May 2018.

The constitution has paid much attention to people's data privacy rights which has proven to be effective. These rights are not only made for Kenyan, but most countries have sets of rules protecting their data.

What purposes does data protection serve in Kenya?

As stated in the Kenyan gazette on data protection act of 2019, it's an act of parliament that is meant to;

  1. Provide attention to data privacy as stated in the constitution.
  2. Regulate data usage by establishing the office of the data protection commissioner.
  3. Control the processing of private data.
  4. It also champions the rights of the data subject.
  5. Provides guidelines for the persons who are controlling and processing data.

Data protection regulation

The data protection regulations 2021 (registration of data and controllers and data processor) was issued to provide details on the registration process. This was later published on July 14th, 2022, through data processors and controllers registration in the Office of the Data Protection Commissioner (ODPC).

Who is exempted from mandatory registration?

  1. Data processors and controllers whose Turnover Tax revenue is below Kshs 5M.
  2. Data processors and controllers with less than ten employees.

Who is not exempted from mandatory registration?

Data processors and controllers who process personal data for the following purposes stated down below;

  1. Gambling
  2. Providing financial services
  3. Property management
  4. Transport services

Penalties for no-compliance

The data protection act provides various penalty charges if you don't comply with their rules as follows;

  1. The data commissioner can administrate fines to anyone who does not comply with the rules of data protection. The commissioner will give a penalty notice to the person responsible for their pay as the notice requires of them.
  2. In the case whereby a fine is given, the offender may be issued a fine that should not exceed Kshs 5M or face imprisonment upon conviction.
  3. If anyone obstructs, the commissioners functioning will be charged with a penalty not exceeding Kshs 5M or face imprisonment not exceeding two years.
  4. In a case whereby the data subject's data is exposed, they are entitled to compensation from the data controller and processor.

What is considered an offense when it comes to the data protection act?

  1. Disclosing of considered personal data to a third party without authorization from the data owner.
  2. Being in possession of personal data without authorization for the data controller.
  3. Selling personal data obtained illegally.
  4. Obstruction of the office of the data commissioner in an ongoing case investigation.

How to register for a data processing certificate in Kenya

To get a data processing certificate in Kenya, all you need to do is;

  1.  Head over to the ODPC (office of data protection commissioner) Website.  
  2. After which, you will register as a data controller/processor by providing relevant data about your organization.
  3. Registration fee receipt.
  4. Once this process is complete, you must await your certificate, and you are officially a data processor. This will be valued for about 24 months from the date you've been issued.

What are the data subjects' rights?

The data subjects also have rights according to the constitution;

  1. The subject has the right to be informed about their data and its purposes and reasons for being collected.
  2. They have the right to correct whichever data the data controller have on them.
  3. The data subject has a right to receive their data in a readable format.
  4. The data subject has the right to get rid of data in case it's inaccurate or not serving them any use.

Duties of data controllers and processors

  1. They have a duty to keep data for the longest time needed as required by the law.
  2. They have to protect sensitive data at all costs so that it does not get out to people.
  3. They must come up with defensive techniques to safeguard data.
  4. They must comply with the provision act.
  5. They must inform the commissioner in case of a breach that tends to harm the subject within 72 hours.

NOTE- Data protection officers can only be registered by the commissioner if;

  • The commissioner believes they are suitable for that position.
  • If the commissioner believes the data officer meets the registration requirement as in article 19:4 of the provision act.

Principles of data processing

There are specific rules that all data processors and controllers should follow, as stated in section 25 of the data protection act of 2019 as follows;

  1. All data processed should be private and confidential.
  2. Data collected should not be transferred outside Kenya not unless there's proof of the data's safety.
  3. All data collected from any data subject should be processed lawfully and fairly in a transparent manner.
  4. The data collected should be relevant in accordance with what it will be used for.
  5. All data collected should be accurate and updated where need be, deleted where it's not needed.

Breach notification

Breached data should be notified to the ODPC with detailed information on what led to the breach, with a record of the time it happened and the action taken.

Data is considered breached if;

  1. If personal data is accessed by unauthorized personnel or a third party without the subjects and data controller's permission.
  2. If the subject is at risk or even to the point of being harmed.


All organizations and individuals must have a right for their data to be protected and have privacy. With the help of the data protection act, Kenyans have been able to put their trust in the system as there are no longer inconveniences and mistrust. With the rise in technology, organizations have come up with appropriate control of all data being processed and saved safely.

Last updated
April 18, 2023
Single Inbox

Are you ready to get started? Sign up here for a demo of the HelloDuty CRM and customer engagement automation software now.

Pesalink - BlackSistema Bio - BlackTatu City - BlackStartimes - Black
Sunculture Logo

It works for our customer SunCulture. We help agents sell solar in rural Kenya. It takes a few hours, not months, to design and build new ideas.

Relationships that matter.

Plan, engage, and analyse with ease. Transform your customer relationship with an all-in-one platform.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.