Become an expert on PrivacyOps - Start Now

Start Now

Kenya’s DPA

Get compliant with the most comprehensive PrivacyOps platform.

Download the book today!

PrivacyOps - Automation & Orchestration for Privacy Compliance
Download Book
Available in PDF

Kenya’s Data Protection Act, 2019 (DPA) is based on the framework of the EU’s General Data Protection Regulation (GDPR), making it the third region in East Africa to have enacted and enforced data protection regulations. The DPA seeks to protect the personal data of individuals by obligating data controllers and data processors and regulating the processing of personal data. The DPA protects the personal data of individuals residing in Kenya.

The Data Protection Act, 2019, came into effect in November 2019.

The solution

Securiti enables organizations to ensure seamless compliance with Kenya Data Protection Act (DPA) 2019 with its AI-driven data discovery, DSR automation, universal consent management, autonomous documented accountability, data breach management, and vendor risk assessment.

securiti dashboard

Securiti supports enterprises in their journey towards compliance with Kenya DPA 2019 through automation, enhanced data visibility, and identity linking.

See how our comprehensive PrivacyOps platform helps you comply with various sections of Kenya’s data protection act.


 

Customize a data subject rights request portal for seamless customer care

 

Create customized web forms according to your brand image with the DSR request format and accept verified data subject rights requests. Automate the initiation of fulfillment workflows when verified requests are received.

dsr portal
dsr handling

Automate data subject request handling

Section 26(b)

Data subjects have the right to be informed of the use of their personal data and access their data held by an organization. For this purpose, organizations must simplify the initiation of verified DSR requests. Automating the delivery and generation of secure data access reports will significantly reduce the risk of compliance violations and reduce the workforce required to comply with all the requests.

Secure fulfillment of data access

Section 26(b)

Disclosure of information to the data subjects within a limited time frame of receiving a verifiable data request is a must for any organization looking to comply. This will be free of charge and delivered through a secure, centralized portal.

data access request
data rectify request

Automate the processing of rectification requests

Sections 26(d), 40(a)

With the help of automated data subject verification workflows across all appearances of a subject’s personal data, you can seamlessly fulfill all data rectification requests.

Automate erasure requests

Sections 26(e), 40(b)

Fulfill data subject’s erasure requests swiftly through automated and flexible workflows.

data erasure request
processing request

Automate objection and restriction of processing requests

Sections 26(c), 34, 36

Build a framework for objection and restriction of processing handling based on business requirements, with the help of collaborative workflows.

Monitor and track consent

Sections 30(1), 32, 33(a), 37(a)

Track consent revocation of data subjects to prevent the transfer or processing of data without their consent. Seamlessly demonstrate consent compliance to regulators and data subjects.

consent preference management
Assess GDPR readiness

Assess data protection and privacy act readiness

Sections 25, 30, 31, 41

With the help of our multi-regulation, collaborative, readiness, and personal information impact assessment system, you can gauge your organization's posture against Kenya’s Data Protection Act’s requirements, identify the gaps, and address the risks. Seamlessly expand assessment capabilities across your vendor ecosystem to maintain compliance.

Meet cookie compliance

Sections 30(1), 32

Automatically scan the web properties within your organization, categorizing tags, and cookies. Also, build customizable cookie banners, collect consent, and provide a preference center.

cookie consent
breach response notification

Automate breach response notification

Section 43

Automates compliance actions and breach notifications to concerned stakeholders about security incidents by leveraging a knowledge database on security incident diagnosis and response.

Manage vendor risk

Section 42(4)

Keep track of privacy and security readiness for all your service providers and processors from a single interface. Collaborate instantly with vendors, automate data requests and deletions, and manage all vendor contracts and compliance documents.

Key Rights Under Kenya’s Data Protection Act 2019

Right to be Informed: Data subjects have the right to be informed of the use of their personal data. Organizations must also notify data subjects of their rights before the collection of personal data.

Right to Access: Data subjects have the right to access their personal data held by the data controller or data processor.

Right to Rectification: Data subjects have the right to request correction of any false or misleading data.

Right to Erasure: Data subjects have the right to request the deletion of false or misleading data.

Right to Data Portability: Data controllers and processors are obligated to honour data subjects’ right to portability by providing them their personal data in a structured, commonly-used and machine-readable format on their request.

Right to Object: The data subject has the right to object to the processing of their personal data unless the data controller or data processor demonstrates compelling legitimate interests that override the data subject’s interests.

Right not to be Subjected to Automated Decision-Making: The data subject has the right to not be subject to a decision based solely on automated processing including profiling which produces legal effects concerning them or significantly affects the data subject.

Facts related to Kenya’s Data Protection Act 2019

1
The DPA requires organizations to adhere to certain data protection principles including lawful processing, purpose limitation, data minimization, and data accuracy.
2

The DPA prohibits data controllers and data processors from cross-border data transfers unless there are adequate data protection safeguards in place.

3
Data controllers or processors that determine the purpose and means of the processing of personal data must register with the Data Commissioner.
4
Where personal data has been accessed or acquired by an unauthorized person and where there is a real risk of harm to the data subject, data controllers must notify the Data Commissioner without delay, within 72 hours of becoming aware of a breach.
5
Infringement of the provisions of the DPA may be penalized by not more than KES 5 million or 1% of the previous fiscal year’s annual turnover.

Newsletter