Kenya Data Protection Act 2019 (DPA) Compliance Guide

I. Introduction

Kenya’s Data Protection Act, 2019 (DPA) is the country’s first comprehensive privacy law, designed to regulate the collection, processing, storage, and transfer of personal data, enacted to give effect to Article 31 of the Constitution of Kenya. Modeled after the EU’s GDPR, the DPA ensures that Kenyan residents’ personal information is handled lawfully, fairly, and transparently. The Act is enforced by the Office of the Data Protection Commissioner (ODPC), which oversees compliance, registration, and enforcement actions.

II. The Office of the Data Protection Commissioner (ODPC)

The Office of the Data Protection Commissioner is the independent authority established under Section 5 of the DPA to enforce the Act. The Data Commissioner, who heads the office, acts independently in the performance of their functions.

Functions and Powers of the ODPC

• Enforcement & Regulation: Oversees and enforces the DPA.
• Registration: Maintains a mandatory register of all data controllers and processors.
• Investigations: Receives and investigates complaints from data subjects and has the power to issue a summons and require information.
• Audits: Conducts on-site assessments and inspections to verify compliance.
• Public Awareness: Promotes public education on data protection.
• Enforcement Actions: Can issue enforcement notices and impose administrative fines.

III. Who Needs to Comply with the DPA

A. Material Scope

The DPA applies to all organizations (public or private) that collect, process, or store personal data of individuals in Kenya, whether by automated or manual means.

Exemptions:

Data processed purely for personal or household activities, national security, and specific legal/judicial purposes may be exempt.

B. Territorial Scope

The law applies to:

• Any entity established in Kenya, regardless of where the processing activities occur..
• Any entity established outside Kenya that processes personal data of individuals located in Kenya (offering goods/services or monitoring their behavior).

IV. Definitions of Key Terms

a. Personal Data

Any information relating to an identified or identifiable natural person.

b. Data Controller

The entity that determines the purpose and means of processing of personal data.

c. Data Processor

The entity that processes data on behalf of a controller.

d. Data Subject

An individual whose data is being processed.

e. Consent

Freely given, specific, informed, and unambiguous indication of the data subject's wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.

f. Sensitive Personal Data

Data relating to health, race, ethnic origin, religious beliefs, genetic or biometric data, property details, marital status, family details, including names of the person's children, parents, spouse or spouses, sex life, or criminal history.

g. Cross-Border Transfer

Movement of personal data outside Kenya.

h. Third-Party

A natural or legal person, public authority, agency or other body, other than the data subject, data controller, data processor or persons who, under the direct authority of the data controller or data processor, are authorised to process personal data.

V. Obligations for Organizations Under the DPA

a. Obligation to Register

A fundamental obligation under the DPA is the mandatory registration of data controllers and data processors with the Office of the ODPC.

• The Act states that no person shall act as a data controller or data processor unless they are registered with the Data Commissioner.
• Registration thresholds are based on factors such as the nature of the industry, the volume of data processed, and whether sensitive personal data is being processed.
• Certain sectors, such as financial services, healthcare, and telecommunications, are required to register regardless of their revenue or employee count.

b. Principles of Data Protection

The DPA is guided by several core principles that data controllers and processors must adhere to. These principles include:

• Processing must be lawful, fair, and transparent,
• Data must be collected for explicit, specified, and legitimate purposes,
• Purpose limitation,
• Accuracy,
• Storage limitation,
• Integrity and confidentiality,
• The data controller or data processor is responsible for and must be able to demonstrate compliance with these principles.

c. Lawful Grounds for Processing

Under the DPA, a data controller or data processor is prohibited from processing personal data unless they have a lawful basis for doing so. The most common legal bases are:

• Consent: The data subject has given unambiguous consent.
• Contract: The processing is necessary for the performance of a contract to which the data subject is a party.
• Legal Obligation: The processing is necessary to comply with a legal obligation.
• Vital Interests: The processing is necessary to protect the vital interests of the data subject or another person.
• Public Interest or Official Authority: The processing is necessary for a task carried out in the public interest or in the exercise of official authority.
• Legitimate Interests: The processing is necessary for the legitimate interests pursued by the data controller or a third party, unless those interests are overridden by the data subject's rights and freedoms.
• Research: The processing is for historical, statistical, journalistic, or scientific research.

d. Privacy Notice Requirements

Organizations have a duty to notify data subjects about how their data is being processed. A clear and accessible privacy notice must include:

• The identity and contact details of the data controller.
• The purpose for which the personal data is collected.
• The data subject's rights.
• The recipients or categories of recipients of the data.
• The consequences of failure to provide the required data.

Organizations must update privacy notices in line with processing changes.

e. Security Requirements

Data controllers and processors are required to implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. This includes protecting against accidental loss or damage.

f. Data Breach Requirements

In the event of a personal data breach, data controllers must notify the Data Commissioner, without undue delay,  or within 72 hours of becoming aware of the breach. If a data processor is involved, they must notify the data controller within 48 hours.

Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the affected individuals must also be notified without undue delay.

g. Data Protection Officer Requirements

A DPO must be designated if a data controller or data processor is a public body, processes sensitive personal data on a large scale, or their core activities require regular and systematic monitoring of data subjects on a large scale. The DPO’s role includes advising on compliance and acting as a contact point for the Data Commissioner.

h. Data Protection Impact Assessment

DPA mandates conducting a Data Protection Impact Assessment (DPIA) before carrying out high-risk processing activities. (e.g., large-scale processing of sensitive data, new technologies, profiling).

A DPIA should include a systematic description of the processing, an assessment of the necessity and proportionality, an assessment of the risks, and the measures to address those risks.

i. Retention of Records of Personal Data

Personal data should not be retained for longer than is necessary to fulfill the purposes for which it was collected. Furthermore, organizations must maintain accurate and up-to-date records of processing activities.

j. Cross-Border Data Transfer Requirements

Transferring personal data outside Kenya is not allowed unless:

• The recipient country has adequate data protection safeguards.
• The data subject has consented, or
• There are appropriate contractual clauses or legal derogations (e.g., necessity for contract, public interest).

Some categories of data may be required to be processed and stored in Kenya (localization), especially where mandated by the Cabinet Secretary.

VI. Data Subject Rights

The DPA grants several rights to data subjects to give them control over their personal data. These rights include:

a. Right to be Informed

The right to be informed of the use of their personal data.

b. Right of Access

The right to obtain confirmation, access, and a copy of their personal data. The Data Protection (General) Regulations, 2021, specify that a data controller must respond to such a request within seven days. 

c. Right to Rectification

The right to request the correction or deletion of false, misleading, or inaccurate personal data. The Data Protection (General) Regulations, 2021, specify that a data controller must comply with a request for rectification within 14 days of receiving it.

d. Right to Opt-Out of Processing Personal Data

Data subjects may object to or restrict processing based on legitimate grounds, unless the controller demonstrates compelling interests.

e. Right Not to Be Subject to Automated Decision-Making

Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affects them.

f. Right to Prevent Processing of Personal Data for Direct Marketing

Data subjects can object to their personal data being used for direct marketing and must be provided an easy way to opt out.

g. Right to Data Portability

The right to receive personal data concerning them in a structured, commonly used, and machine-readable format and to transmit the data to another data controller.

h. Exercise of Rights by Data Subjects

A right conferred on a data subject may be exercised by:

• A person with parental authority or a guardian, if the data subject is a minor.
• A person duly authorized to act as their guardian or administrator, if the data subject has a mental or other disability.
• A person duly authorized by the data subject, in any other case.

VII. Penalties for Non-Compliance

Non-compliance with the DPA can result in significant penalties:

• The Data Commissioner may impose administrative fines of up to five million Kenyan Shillings (KES 5,000,000) or up to one percent (1%) of the organization's annual turnover of the preceding financial year, whichever is lower.
• Additional administrative actions, including orders to cease processing, corrective orders, or public warnings.

VIII. How Can Organizations Operationalize the DPA

1. Assess Readiness: Map data flows, identify gaps, and conduct DPIAs.
2. Register: Ensure registration with the Data Protection Commissioner if required.
3. Update Policies: Review privacy notices, consent mechanisms, and retention schedules.
4. Automate DSRs: Implement solutions for data subject rights requests (access, correction, erasure, portability, etc).
5. Strengthen Security: Regularly audit and enhance security controls.
6. Train Staff: Conduct regular data protection and privacy awareness training.
7. Monitor Vendors: Assess and document third-party and cross-border data transfers.
8. Prepare for Incidents: Establish a breach notification and response plan.

IX. How Securiti Can Help

Securiti provides end-to-end automation for compliance with Kenya’s Data Protection Act. Organizations can automate DSR fulfillment (access, rectification, erasure, objection), manage consent from a centralized dashboard, and easily create or update privacy notices. The platform streamlines breach response, vendor risk management, and automated data mapping. With built-in readiness assessment tools and DPIA automation, Securiti enables continuous, scalable compliance.

Request a demo to see how Securiti simplifies DPA compliance in Kenya.