Kenya DPA: The Complete Guide

Kenya's Data Protection Act of 2019 is East Africa's most comprehensive data protection law and a model for the region. Enacted to fulfill the data protection mandate in Kenya's 2010 Constitution, the Act establishes the Office of the Data Protection Commissioner as an independent regulatory body and creates a robust framework for protecting personal data.

What the Kenya DPA Covers

The Act is built on eight core data protection principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles apply to all processing of personal data by controllers and processors.

Processing requires a lawful basis, with consent being the primary mechanism. Other bases include contractual performance, legal obligations, vital interests, public interest, and legitimate interests. Consent must be free, informed, and specific, and data subjects may withdraw consent at any time.

Data subjects enjoy comprehensive rights including the right to be informed, access their data, object to processing, correct false or misleading data, delete data no longer necessary, and data portability. The Act also restricts automated decision-making that significantly affects individuals.

Sensitive personal data — including health status, ethnic or social origin, religious beliefs, political affiliations, sexual orientation, biometric and genetic data, and data of children — requires explicit consent and additional safeguards.

Registration Requirement

All data controllers and processors must register with the Office of the Data Protection Commissioner. Registration requires disclosure of the nature of data processed, purposes, categories of data subjects, and cross-border transfer details. The ODPC maintains a public register of data controllers and processors.

Cross-Border Transfers

The Act restricts the transfer of personal data outside Kenya unless the recipient country has adequate data protection safeguards, the data subject has consented, or the transfer is necessary for contractual performance or other specified purposes. The Data Commissioner determines adequacy.

Enforcement and Penalties

The Data Commissioner may investigate complaints, conduct audits, and impose penalties. Administrative fines reach up to 5 million Kenyan Shillings (approximately $40,000) or 1% of annual turnover. Criminal penalties include fines up to 3 million Kenyan Shillings and imprisonment for up to 10 years for certain offenses.

Practical Compliance Steps

1. ODPC registration — Register as a data controller or processor with the Data Commissioner
2. Lawful basis documentation — Map and document the legal basis for all processing activities
3. Consent management — Implement mechanisms for obtaining, recording, and withdrawing consent
4. DPIA process — Conduct Data Protection Impact Assessments for high-risk processing
5. Breach notification — Establish a 72-hour notification process to the Data Commissioner
6. Cross-border assessment — Evaluate transfer destinations and implement required safeguards