Six years after enactment, the Data Protection Act, 2019 and its regulations are being actively enforced by the Office of the Data Protection Commissioner. Enforcement notices, penalties and reputational consequences have moved compliance from a theoretical exercise to an operational priority for Nairobi businesses.
Registration as a data controller or processor
Entities meeting the thresholds in the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 must register with the ODPC. The duty applies to most medium and large enterprises and to several categories of small businesses by sector — health, education, finance, telecommunications and direct marketing among them.
Lawful basis and consent
Every processing activity must rest on one of the lawful bases in Section 30: consent, contract, legal obligation, vital interests, public interest or legitimate interests. Consent must be specific, informed and freely given; pre-ticked boxes and bundled consents do not qualify.
Data Protection Impact Assessments
High-risk processing — large-scale profiling, systematic monitoring of public areas, processing of sensitive personal data — requires a documented DPIA before processing begins. The ODPC may be consulted where residual risk remains high.
Cross-border transfers
Transfers outside Kenya require either an adequacy decision, appropriate safeguards (such as standard contractual clauses), or one of the derogations in Section 48 — including explicit consent and contractual necessity.
Breach notification
Personal data breaches likely to cause real risk to data subjects must be notified to the ODPC within 72 hours and, in serious cases, communicated to the affected individuals without undue delay.
Citations & further reading
Related practice areas
This article is for general information only and does not constitute legal advice. Readers should obtain specific counsel on their particular matters.