Kenya Data Protection Act: A 2026 Compliance Guide for B2B Operators

Kenya's Data Protection Act 2019 stopped being a paper exercise around 2023. By 2026, the Office of the Data Protection Commissioner (ODPC) has issued fines, demanded breach notifications inside 72 hours, and forced large telcos, banks, and retailers to rebuild their consent and SMS marketing infrastructure. If your business sends SMS, WhatsApp, voice, or email campaigns to Kenyan contacts, you are within scope — and ignorance is no longer a defense.

This guide covers what the Act says, how the ODPC enforces it in 2026, what lawful basis and consent look like in practice, the data subject rights you must honour, how to handle breaches, and how to operationalize CPaaS messaging (SMS, WhatsApp Business API, voice) so compliance is the default rather than the afterthought.

What the Data Protection Act 2019 actually does

The Act, available on the ODPC website, gives effect to Article 31(c) and (d) of the Constitution of Kenya. It does four things:

1. Establishes the Office of the Data Protection Commissioner as the enforcement body.
2. Regulates the processing of personal data — collection, storage, use, sharing, and erasure.
3. Defines the rights of data subjects (the individuals whose data you process).
4. Sets the duties of data controllers (who decide why and how data is processed) and data processors (who process data on behalf of a controller).

Who is in scope

Any business — Kenyan or foreign — that processes personal data of individuals located in Kenya. This includes ad platforms, SaaS vendors, CPaaS providers, ride-hailing apps, fintechs, schools, hospitals, churches, NGOs, and any SMB that holds a customer list.

ODPC enforcement actions: what changed between 2024 and 2026

The ODPC has progressively moved from awareness to enforcement. Public actions reported between 2024 and 2026 include:

• Fines against credit reference bureaus and digital lenders for processing data without lawful basis.
• Penalty notices to schools that disclosed student data on social media.
• Enforcement orders against employers conducting covert workplace surveillance.
• Public warnings to political campaigns that sent unsolicited bulk SMS during election cycles.

The pattern is consistent: lawful basis, consent quality, and breach notification timeliness are the three areas the Commissioner inspects first.

What the fines look like

Penalties under the Act can reach KES 5 million per infringement, or 1 percent of annual turnover for the previous financial year — whichever is lower. Criminal penalties for specific offences include imprisonment up to two years. Repeat infringements compound.

Mandatory registration with the ODPC

Under the Data Protection (General) Regulations 2021, you must register as a data controller or processor unless you qualify for an exemption.

Exempt

• Annual turnover below KES 5 million; and
• Fewer than 10 employees.

Not exempt regardless of size

Even if you are below the thresholds, you must register if you process data for any of: gambling, financial services, property management, transport services, health, education, telecommunications, direct marketing, credit reference, or processing children's data.

How to register

1. Create an account on the ODPC portal.
2. Complete the controller or processor application with your business KRA PIN, business activity, data categories, and lawful basis.
3. Pay the registration fee.
4. Receive your certificate, valid for 24 months and renewable.

The seven principles of data processing

Every act of processing must satisfy these principles from Section 25 of the Act:

1. Lawfulness, fairness, and transparency.
2. Purpose limitation — data collected for a specific, declared purpose.
3. Data minimization — only what is necessary.
4. Accuracy — kept up to date.
5. Storage limitation — kept only as long as needed.
6. Integrity and confidentiality — protected against unauthorized access.
7. Accountability — the controller must be able to demonstrate compliance.

Lawful basis: the six grounds you can rely on

You may process personal data only if at least one of these applies:

1. Consent of the data subject.
2. Performance of a contract.
3. Compliance with a legal obligation.
4. Protection of vital interests of the data subject.
5. Public interest or official authority.
6. Legitimate interests of the controller (with a balancing test).

For direct marketing — SMS, WhatsApp, voice broadcast, email — consent is the default lawful basis. Get it explicitly, log it, and make withdrawal easy.

Data subject rights you must honour

• Right to be informed about the collection and use of their data.
• Right of access to their data and to a copy of it.
• Right to rectification of inaccurate data.
• Right to erasure (the right to be forgotten).
• Right to object to processing, including direct marketing.
• Right to data portability — receive data in a structured, machine-readable format.
• Right not to be subject to a decision based solely on automated processing.

You must respond within 7 days for marketing objection requests and within 21 days for full DSR fulfilment.

Duties of controllers and processors

• Implement appropriate technical and organizational measures (encryption at rest, in transit, role-based access).
• Conduct a Data Protection Impact Assessment (DPIA) for high-risk processing.
• Maintain a record of processing activities.
• Appoint a Data Protection Officer where required.
• Notify the ODPC of any breach within 72 hours of becoming aware.
• Inform affected data subjects without undue delay if the breach is likely to result in high risk.

Cross-border data transfers

You may transfer personal data outside Kenya only if the destination provides an adequate level of protection, or you have appropriate safeguards in place (standard contractual clauses, binding corporate rules), or the data subject has given explicit consent, or another statutory exception applies. For Kenyan B2B operators using global SaaS, this typically means signing a data processing addendum with your vendor.

What ODPC-compliant CPaaS messaging looks like in practice

If you run SMS, WhatsApp, or voice campaigns, your stack must support:

1. Captured, time-stamped, source-tagged consent for every contact in your database.
2. One-click opt-out in every SMS (STOP) and a clear unsubscribe path in every WhatsApp template.
3. Automatic suppression lists so an opted-out contact never receives another marketing message.
4. Audit trails showing what message was sent, when, by whom, on which lawful basis.
5. Data residency clarity — know where your messaging metadata is stored.

How HelloDuty makes this default

HelloDuty SMS API and WhatsApp Business API are built with consent capture, opt-out keywords, suppression lists, and audit logs as baseline features. Our voice and PBX product records call disclosures, and our CRM stores DSR fulfilment evidence in a single audit-friendly view. When the ODPC asks, you can show.

Breach notification: the 72-hour clock

A personal data breach is any incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

You must notify the ODPC within 72 hours of becoming aware of the breach. The notification must include:

• The nature of the breach and categories of data affected.
• Approximate number of data subjects affected.
• Likely consequences.
• Measures taken or proposed to address the breach.
• Contact details of your DPO or responsible officer.

If the breach is likely to result in high risk to the data subjects, you must also notify them directly.

Frequently asked questions

1. Do I need to register if my Kenyan SMB only has 5 employees?

If your turnover is below KES 5 million and you do not process data for gambling, financial services, property, transport, health, education, telecoms, direct marketing, or credit reference — no. If you do any of those activities, yes regardless of size.

2. Is buying a contact list legal in Kenya?Effectively no for marketing use. Even if the seller claims consent, you as the new controller must be able to demonstrate that the data subject consented to your processing for your purpose. That bar is almost never met by purchased lists.

3. Can I send a one-off promotional SMS to a customer who paid me last year?

Only if they consented to marketing at the time of the original transaction. A transactional relationship does not automatically grant marketing consent.

4. What happens if I miss the 72-hour breach notification?

The ODPC treats late notification as an aggravating factor. Fines escalate, and the Commissioner can issue an enforcement notice requiring remedial actions.

5. Do international vendors need a Kenyan DPO?

If you target the Kenyan market or process Kenyan residents' data systematically, the ODPC expects a representative in Kenya. Many vendors appoint a local DPO or use a representation service.

The compliant-by-default operator wins

The Kenyan Data Protection Act 2019 is no longer a compliance hurdle to hide from. It is now a buyer trust signal. The B2B operators that publish their privacy notice, register with the ODPC, capture opt-ins cleanly, honour DSRs quickly, and run audited CPaaS messaging are the ones winning enterprise tenders and surviving ODPC inspections.

If you want SMS, WhatsApp, and voice infrastructure that treats ODPC compliance as the default, speak to HelloDuty. We will help you wire opt-in capture, opt-out handling, suppression lists, audit logs, and breach response into your customer communications stack — so when the Commissioner calls, you already have the answer.

Related reading

WhatsApp Business API: time to upgrade from the basic Business app

The Data Protection Act 2019 (Kenya Law gazette)