Business Tips & Tools — Africa

Data Processing in Kenya: DPA 2019, ODPC and Business Comms

Data processing under Kenya's DPA 2019 and ODPC rules. How businesses handle customer SMS, WhatsApp, voice and M-Pesa data the compliant way.

Every Kenyan business that sends an SMS, takes a phone call, runs a USSD menu, accepts an M-Pesa payment or stores a customer record is, by law, processing personal data. Get it right and customer trust compounds. Get it wrong and the Office of the Data Protection Commissioner (ODPC) can issue penalties of up to KES 5 million or 1% of annual turnover — whichever is lower.

This guide gives a short, clear answer to the consumer question — what is data processing — then pivots to what actually matters for Kenyan business owners, compliance officers and CTOs in 2026: how to process customer data lawfully under the Data Protection Act, 2019, how the ODPC enforces it, and how a compliant-by-default communications stack reduces your exposure.

What is data processing?

Data processing is any operation performed on personal data — collecting it, storing it, organising it, retrieving it, using it for a decision, sharing it with a third party or deleting it. The Kenyan Data Protection Act, 2019 mirrors the EU GDPR definition almost word for word: "any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means."

That means dialling a customer back from your call centre, sending a marketing SMS, importing a CSV of leads into your CRM, or simply backing up a database of phone numbers all qualify as processing. The law applies regardless of how big or small your business is.

The six lawful bases for processing customer data in Kenya

Section 30 of the DPA, 2019 says you cannot process personal data unless you have one of six lawful bases. Picking the right one is the single most important compliance decision a Kenyan business makes:

  1. Consent. The data subject has freely given specific, informed and unambiguous consent. This is the basis you need for marketing SMS, WhatsApp broadcasts and most cookie-driven analytics.
  2. Contract. Processing is necessary to perform a contract with the data subject — for example, sending an order delivery SMS to a customer who bought from you.
  3. Legal obligation. You must process the data to comply with a Kenyan law — for example, retaining KYC records under the Proceeds of Crime and Anti-Money Laundering Act.
  4. Vital interests. Processing protects the life of the data subject or another person.
  5. Public task. A public authority processing data to deliver a public service.
  6. Legitimate interests. The data controller's legitimate interests — for example, fraud prevention — unless overridden by the rights of the data subject.

The single biggest mistake Kenyan SMBs make is sending bulk marketing SMS under "legitimate interests" when the law clearly requires explicit, opt-in consent. The ODPC has been clear about this, and recent enforcement actions confirm it.

How the ODPC enforces data processing rules

The Office of the Data Protection Commissioner is the independent regulator created by the DPA, 2019 and operational since November 2020. By 2026 the ODPC had registered tens of thousands of data controllers and processors, issued binding enforcement notices, and levied penalties against well-known Kenyan brands for unsolicited marketing, unlawful CCTV deployment and weak data-subject access processes.

Every Kenyan business that handles personal data of more than a handful of customers must:

  • Register as a data controller, a data processor, or both.
  • Appoint a Data Protection Officer where required by ODPC guidance — mandatory for processors of large volumes of data, sensitive personal data, or systematic monitoring.
  • Maintain a record of processing activities (ROPA).
  • Run a Data Protection Impact Assessment (DPIA) on high-risk processing such as profiling, large-scale monitoring, or processing of sensitive categories.
  • Notify the ODPC of a personal-data breach within 72 hours of becoming aware of it.

Kenya DPA 2019 vs the EU GDPR — the differences that catch businesses out

The DPA, 2019 was deliberately modelled on GDPR, so an EU-ready compliance posture transfers well. But there are local nuances:

  • Cross-border transfer. Sending personal data outside Kenya requires either an adequacy decision from the Cabinet Secretary, appropriate safeguards, or explicit data-subject consent. The list of jurisdictions deemed adequate is still narrower than the EU equivalent, so default to safeguards or consent.
  • Sensitive personal data. The Kenyan definition includes the obvious (health, ethnicity, religion, sexual orientation) but also categories like marital status and property details, which sit outside the GDPR equivalent.
  • Lower penalty ceilings. GDPR caps administrative fines at 4% of global turnover or EUR 20 million. The Kenyan ceiling sits at 1% of turnover or KES 5 million — still material, but cheaper to get wrong.
  • Mandatory registration. Kenya requires data controllers and processors above defined turnover or volume thresholds to register with the ODPC; GDPR does not have an equivalent positive registration requirement.

Where customer data actually flows in a Kenyan business

In a typical Kenyan SMB or mid-market business, personal data is processed across at least six channels every day:

  • SMS. Bulk marketing, transactional OTPs, delivery notifications, payment confirmations.
  • WhatsApp Business API. Conversational sales, customer support, chatbot flows, templated reminders.
  • Voice. Inbound call centre, outbound dialer for sales or collections, IVR menus, call recording for QA.
  • USSD. Self-service menus for lookups, payments, loan applications.
  • M-Pesa and other mobile money. Customer phone numbers, transaction history, till statements.
  • CRM and ticketing. Stored contact records, conversation history, support tickets, lead scoring.

Each touchpoint is a personal data processing operation. Each needs its own lawful basis, consent capture, retention policy and audit trail.

Consent capture in business communications — the right way

Compliant marketing SMS and WhatsApp campaigns rely on explicit, demonstrable consent. The pattern that works for Kenyan businesses:

  1. Capture consent at point of acquisition. A web form checkbox, a USSD opt-in keyword ("reply 1 to receive offers"), a WhatsApp opt-in click, or a physical-store signed consent.
  2. Log the consent event. Store timestamp, channel, exact wording shown and the data subject's affirmative action. This is your ROPA exhibit when the ODPC asks.
  3. Honour withdrawal instantly. Every marketing SMS must offer a free, easy unsubscribe — typically "reply STOP to opt out." Withdrawals propagate to every channel, not just SMS.
  4. Re-confirm consent annually. Stale opt-ins are weak evidence in an enforcement action.

Data retention: how long can you keep customer data?

The DPA, 2019 does not set hard retention periods — it requires that personal data be kept no longer than is necessary for the purpose. Kenyan businesses typically anchor on these defaults:

  • KYC records: 7 years after the end of the customer relationship (AML/CFT requirements).
  • Transaction logs and billing records: 7 years (Tax Procedures Act).
  • Marketing consent records: Lifetime of the consent plus 12 months after withdrawal.
  • Call recordings: 90–180 days, longer if needed for dispute resolution.
  • CCTV footage: 30–60 days as a default.

How a compliant-by-default CPaaS reduces your risk

The cheapest way to fail an ODPC audit is to scatter personal data across a free bulk-SMS portal in Eastleigh, a personal WhatsApp account on a sales rep's phone, and a CRM hosted in a region without adequate safeguards. HelloDuty is built to consolidate those channels onto a single platform that gives compliance officers something to point at:

  • Consent management at the message layer. Every SMS, WhatsApp and voice channel writes consent events and STOP requests to a unified ledger you can export to the ODPC on demand.
  • Retention policies enforced in the platform. Conversation history, recordings and transcripts auto-purge on the schedule you configure — you do not have to remember.
  • Granular role-based access. Agents see only the customer records they need; access logs are immutable.
  • Data residency options. Workloads can be pinned to East African data centres where supported, reducing cross-border transfer paperwork.
  • Encryption in transit and at rest. TLS for every API call, AES-256 for data at rest, and signed webhooks for downstream integrations.
  • DPIA-ready documentation. Architecture diagrams, sub-processor list, breach-notification SLAs and DPA-aligned contractual terms are ready when your DPO needs them.

FAQs

What counts as personal data under the Kenyan DPA, 2019?

Any information relating to an identified or identifiable natural person — names, phone numbers, ID numbers, M-Pesa transaction history, IP addresses, photos and location data all qualify. Business-to-business contact details for an individual at a company are also personal data.

Do small businesses need to register with the ODPC?

Registration is mandatory for data controllers and processors that meet thresholds set by ODPC guidance — generally those with annual turnover above KES 5 million or that process personal data of more than 100 subjects. Below the threshold you still must comply with the DPA, but you may be exempt from positive registration.

What is the penalty for unsolicited marketing SMS in Kenya?

The ODPC has issued enforcement notices and fines for sending marketing SMS without consent, including penalties at the higher end of the KES 5 million ceiling. Repeated breaches and inadequate opt-out mechanisms aggravate the fine.

Can I send WhatsApp marketing messages to a customer who bought from me?

A previous purchase does not by itself create lawful basis for future marketing. You need an explicit opt-in for marketing communications, ideally captured as a click on a WhatsApp opt-in link or a clear checkbox at checkout. WhatsApp's own Business policies enforce a similar standard.

How do I prove consent if the ODPC investigates?

You produce timestamped consent records from your CRM or CPaaS — the channel used, the exact wording shown, the data subject's identifier and the affirmative action they took. Platforms that store this in a tamper-evident ledger make the audit trivial.

Build a compliant communications stack from day one

Data processing is not a side topic for Kenyan businesses — it is the operating reality every time you message a customer. HelloDuty's CPaaS gives you SMS, WhatsApp Business API, programmable voice, USSD and an AI receptionist on a platform engineered around the DPA, 2019 and ODPC expectations from the ground up. Explore the SMS API, the full CPaaS platform, or talk to our Kenya team about a compliance review of your current setup.

Last updated
June 16, 2026
Single Inbox
Pro-tip

Are you ready to get started? Sign up here for a demo of the HelloDuty CRM and customer engagement automation software now.

Pesalink - BlackSistema Bio - BlackTatu City - BlackStartimes - Black
Sunculture Logo

It works for our customer SunCulture. We help agents sell solar. It takes a few hours, not months, to design and build new ideas.

Services & Pricing Per Country

Algeria
Algeria
Angola
Angola
Benin
Benin
Botswana
Botswana
Burkina Faso
Burkina Faso
Burundi
Burundi
Cameroon
Cameroon
Cape Verde
Cape Verde
Central African Republic (CAR)
Central African Republic (CAR)
Chad
Chad
Comoros
Comoros
Congo-Brazzaville
Congo-Brazzaville
Djibouti
Djibouti
DRC
DRC
Egypt
Egypt
Equitorial Guinea
Equitorial Guinea
Eritrea
Eritrea
Eswatini
Eswatini
Ethiopia
Ethiopia
Gabon
Gabon
Gambia
Gambia
Ghana
Ghana
Guinea Bisau
Guinea Bisau
Ivory Coast
Ivory Coast
Kenya
Kenya
Lesotho
Lesotho
Liberia
Liberia
Malawi
Malawi
Mauritania
Mauritania
Mauritius
Mauritius
Morocco
Morocco
Mozambique
Mozambique
Namibia
Namibia
Niger
Niger
Nigeria
Nigeria
Rwanda
Rwanda
Sao Tome Principe
Sao Tome Principe
Senegal
Senegal
Seychelles
Seychelles
South Africa
South Africa
Sudan
Sudan
Tanzania
Tanzania
Togo
Togo
Tunisia
Tunisia
Uganda
Uganda
Western Sahara
Western Sahara
Zambia
Zambia
more resources

Similar Blogs

View all resources
Business Tips & Tools — Africa
Startup Cheat Sheet 2026: Kenya & Africa Founder Playbook

The 2026 startup cheat sheet for Kenya and Africa: funding stats, 10-step launch checklist, KRA tax setup, legal structures, GTM channels and tools.

Messaging Channels — Africa
Bulk SMS in Kenya: The Complete 2026 Guide for Businesses

Send bulk SMS online in Kenya in 2026 — top providers, pricing, use cases, FAQs, and the cheapest way to reach millions of customers across Safaricom, Airtel, and Telkom.

Business Tips & Tools — Africa
Starting a Business in Kenya: Factors, Costs & Communications Stack

Factors to consider before starting a business in Kenya plus the SMS, WhatsApp, USSD and voice stack new SMEs need to win customers from day one.

Relationships that matter.

Plan, engage, and analyse with ease. Transform your customer relationship with an all-in-one platform.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe
Get Started
FacebookTwitterLinkedIn
©All rights reserved
Privacy StatementTerms & ConditionsCode of Ethics