Webinar Series
Are You
Exposed?
The Hidden Financial and Legal Risks of Ignoring Kenya's Data Protection Act 2019
Date
March 26th 2026
Duration
1 hour 30 Minutes
Webinar Series
Date
March 26th 2026
Duration
1 hour 30 Minutes
Webinar Overview
The Data Protection Act 2019 and what it means for your business
Understanding the true cost of non-compliance
Understanding your legal obligations and risks
What you must do to stay compliant
Practical steps to achieve compliance and turn it into competitive advantage
Chapter One
The Data Protection Act 2019 and What It Means for Your Business
Understanding the Landscape
Gives effect to Article 31(c) and (d) of the Constitution of Kenya, which guarantees every person's right to privacy, including the right not to have their person, home, or property searched, and the right not to have information relating to their family or private affairs unnecessarily required or revealed.
Establishes the Office of the Data Protection Commissioner (ODPC) as the regulatory authority responsible for overseeing implementation, enforcement, maintaining registers, investigating complaints, and conducting inspections.
One of Africa's most comprehensive data privacy frameworks, with extraterritorial scope similar to the EU's GDPR, meaning it applies to organizations outside Kenya processing data of Kenyan residents.
Regulate processing of personal data to protect individuals' privacy rights
Provide for rights of data subjects in relation to their personal data
Impose obligations on data controllers and processors
Establish mechanisms for addressing violations and seeking redress
The ODPC is actively enforcing the Act with nationwide inspections, penalty notices, and enforcement actions across multiple sectors. Non-compliance is not a theoretical risk—it's a real and present danger.
Understanding the Landscape
The Act applies to all data controllers and processors handling personal data of individuals within Kenya, regardless of where the organization is established. Foreign companies offering goods or services to Kenyan residents or monitoring their behavior are covered.
A natural or legal person who determines the purpose and means of processing personal data. This includes businesses, government agencies, NGOs, and any organization that decides why and how personal data is processed.
Example: A bank collecting customer information for account opening.
A natural or legal person who processes personal data on behalf of the data controller. Processors act under the controller's instructions and don't determine the purposes of processing.
Example: A cloud service provider storing customer data for a bank.
Unlike some jurisdictions, there is no minimum threshold for compliance. Even small businesses processing minimal personal data must adhere to the Act's requirements. Size doesn't exempt you from compliance.
Understanding the Landscape
Any information relating to an identified or identifiable natural person (data subject). This includes names, ID numbers, location data, online identifiers, and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
Examples: Email addresses, phone numbers, IP addresses, employment records, financial information.
Personal data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation. Requires explicit consent and heightened protection.
Note: Processing sensitive data has stricter requirements.
An identified or identifiable natural person who is the subject of personal data. This includes employees, customers, suppliers, website visitors—any individual whose personal data is processed by your organization.
Rights: Access, rectification, erasure, objection, portability.
Any operation or set of operations performed on personal data, whether or not by automated means, including:
Collection
Recording
Organization
Adaptation
Retrieval
Consultation
Also includes: use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
Chapter Two
Understanding the True Cost of Non-Compliance
The Hidden Financial Risks
Section 63 of the DPA
Maximum Penalty:
KES 5 Million
OR
1% of Annual Turnover
(whichever is lower)
Imposed by the Data Commissioner for failure to comply with data protection principles and obligations.
Issued to compel compliance, requiring specific steps to be taken within defined timeframes. Failure to comply with enforcement notices can result in additional fines of up to KES 5 million or imprisonment or both.
Penalty Notices
Monetary penalties for proven infringements after investigation.
Enforcement Notices
Orders requiring specific corrective actions within set timeframes.
Administrative Fines
Deterrent fines to prevent repetition of infringement.
Data subjects can seek redress for violations, including financial loss and emotional distress. After exhausting ODPC processes, data subjects can seek remedies from constitutional courts, potentially resulting in significant compensation awards.
Criminal Liability: Directors and company officers can face criminal prosecution for willful violations, including potential imprisonment.
The Hidden Financial Risks
The ODPC ruled that an employer violated an employee's rights by using their photograph for commercial purposes without obtaining explicit consent. This case establishes critical precedent for how consent must be obtained and documented.
Compensation Awarded
KES 500,000
Legal Basis
Section 37(1) DPA
Burden of Proof
On Controller
The ODPC has issued penalty notices across multiple sectors, demonstrating broad enforcement reach:
Entertainment
Finance & Banking
Education
The ODPC has announced nationwide inspections to assess compliance across various sectors. This proactive enforcement approach means:
No sector is exempt from scrutiny
Compliance documentation will be reviewed
Non-compliance will result in immediate action
Proactive compliance is essential
Key Takeaway: The ODPC is actively enforcing the Act. The January 2025 ruling demonstrates that even seemingly minor violations (using an employee photo without consent) can result in significant financial penalties. The burden of proof rests entirely on the data controller to demonstrate consent was obtained.
The Hidden Financial Risks
Data breaches and non-compliance become public knowledge, eroding customer trust and brand value. In Kenya's competitive market, privacy-conscious consumers will switch to compliant competitors.
Impact: Customer churn, difficulty acquiring new customers, long-term brand damage.
Retrofitting compliance is significantly more expensive than building it from the start. Costs include system overhauls, policy development, legal consultations, and staff training.
Impact: Emergency IT projects, external consultant fees, operational disruption.
Enforcement actions can require suspension of data processing activities, effectively halting business operations until compliance is achieved.
Impact: Lost revenue, inability to serve customers, contractual breaches.
Data subjects can file civil lawsuits for damages resulting from privacy violations. Class action risks increase with the scale of the breach or non-compliance.
Impact: Legal defense costs, settlement payments, court-ordered damages.
Non-compliance makes you ineligible for procurement opportunities and unattractive to investors who conduct due diligence on data protection practices.
Impact: Exclusion from RFPs, failed investment deals, partnership rejections.
Data breaches and enforcement actions lead to significantly higher cyber insurance premiums or complete inability to obtain coverage.
Impact: Increased operating costs, uninsured breach exposure.
Research shows that the total cost of non-compliance (fines + remediation + lost business + reputational damage) is typically 3-5 times higher than the initial regulatory fine. For a KES 5 million fine, the true cost could reach KES 15-25 million or more.
Chapter Three
Understanding Your Legal Obligations and Risks
Legal Liabilities and Exposure
Section 26 of the Data Protection Act grants data subjects comprehensive rights. Failure to respect these rights can lead to formal complaints, enforcement actions, and compensation claims. You must establish procedures to receive and respond to these requests within statutory timeframes—typically within 30 days of receipt.
Data subjects have the right to know how their personal data is being used. You must provide clear, concise, and transparent information through privacy notices at the point of data collection.
Data subjects can request access to their personal data you hold, including purposes of processing, categories of data, recipients, and retention periods.
Data subjects can require you to correct inaccurate or incomplete data without undue delay. You must also notify any third parties who received the data.
Also known as the "right to be forgotten," data subjects can request deletion of their data when it's no longer necessary, consent is withdrawn, or processing was unlawful.
Data subjects can object to processing based on legitimate interests or for direct marketing purposes. You must stop processing unless you demonstrate compelling legitimate grounds.
Data subjects can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller without hindrance.
Critical Requirement: You must implement mechanisms for data subjects to exercise their rights easily, train staff on handling requests, and maintain records of all interactions. Failure to respond appropriately constitutes a breach and may trigger regulatory action.
Legal Liabilities and Exposure
Section 48 of the Act prohibits sharing or transferring personal data outside Kenya unless specific conditions are met. Violations can lead to regulatory bans, fines, suspension of data operations, and civil lawsuits.
Adequate Safeguards
Proof of appropriate safeguards in the recipient country regarding security and protection.
Adequacy Decision
DPC has determined the recipient country ensures adequate protection.
Necessity
Transfer necessary for contract performance, legal claims, public interest, or vital interests.
Explicit Consent
Data subject has given explicit consent after being informed of risks.
Cross-border processing of sensitive personal data is prohibited and only allowed when certain conditions are met:
Explicit consent from data subject
Proof of appropriate safeguards
Written approval from DPC (for civil registration data)
You must ensure storage of at least one serving copy of personal data on a server or data center located in Kenya.
Common Violation: Using cloud services, payment processors, or marketing platforms that store data outside Kenya without proper safeguards or consent is a frequent compliance failure with serious consequences.
Legal Liabilities and Exposure
Mandatory registration for data controllers/processors meeting thresholds. Failing to register is an offense under Section 18.
Failure to respond to access, rectification, erasure, or objection requests within statutory timeframes constitutes a breach.
Transferring personal data outside Kenya without adequate safeguards, adequacy decisions, necessity, or explicit consent.
Failure to implement appropriate technical and organizational measures to protect personal data, leading to breaches.
Using personal data for commercial purposes without explicit consent, as demonstrated in the January 2025 ODPC ruling.
Chapter Four
What You Must Do to Stay Compliant
Compliance Requirements
Any person acting as a data controller or data processor must be registered with the Data Commissioner. Registration must be renewed every 24 months. Failure to register when required is a criminal offense.
Public bodies and state corporations
Companies with annual turnover or assets exceeding prescribed thresholds
Businesses processing sensitive personal data at scale
Specific industries (see right panel)
Financial Services
Healthcare
Telecommunications
Education
Transport Services
CCTV/Security
Direct Marketing
Gambling
Data controllers/processors with annual turnover below KES 5 million and fewer than 10 employees are exempt from mandatory registration (unless in a mandatory industry).
Submit application through ODPC portal with prescribed fee. Certificate issued within 14 days if requirements are met. Valid for 24 months from issuance.
Compliance Requirements
Section 25 of the Act outlines seven core data protection principles that must guide all data processing activities. These principles are not optional guidelines—they are legally binding obligations. Failure to adhere to any principle constitutes a breach of the Act.
Process personal data in a manner that upholds the data subject's right to privacy. Be transparent about how data is used and ensure processing is based on a lawful basis.
Collect personal data for specified, explicit, and legitimate purposes. Do not further process data in a manner incompatible with those purposes.
Ensure personal data is adequate, relevant, and limited to what is necessary for the intended purposes. Do not collect more data than you need.
Keep personal data accurate and up to date. Take reasonable steps to ensure inaccurate data is erased or rectified without delay.
Keep personal data in a form that permits identification of data subjects for no longer than necessary for the intended purposes.
Process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
The data controller is responsible for and must be able to demonstrate compliance with all data protection principles. This requires maintaining records, conducting impact assessments, and implementing governance frameworks.
Compliance Requirements
Sections 41-42 of the Act require data controllers and processors to implement appropriate organizational and technical measures to implement data protection principles effectively and protect personal data.
Encryption: Use hashing and cryptography to protect data
Access Controls: Ensure only authorized personnel access necessary data
Authentication: Multi-factor authentication for sensitive systems
Network Security: Firewalls, intrusion detection, secure configurations
Audit Trails: Maintain logs of data access and processing activities
Security Policies: Develop, publish, and regularly update data handling policies
Staff Training: Regular data protection and privacy awareness training
Risk Assessments: Regularly assess risks and implement countermeasures
Incident Response: Procedures to detect, handle, report, and learn from breaches
Processor Agreements: Contractual clauses requiring processors to maintain security
Keep backups and logs to extent necessary
Use audit trails and event monitoring routinely
Protect sensitive data with adequate measures
Regularly review and test software for vulnerabilities
Compliance Requirements
Data controllers must notify the ODPC of personal data breaches within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in high risk to data subjects' rights and freedoms, they must also be notified without undue delay.
To ODPC (Within 72 hours):
All personal data breaches unless unlikely to result in risk to rights and freedoms
To Data Subjects (Without delay):
When breach likely to result in high risk to their rights and freedoms
Documentation:
All breaches must be documented regardless of notification requirement
Nature of breach: Categories and approximate number of affected data subjects
Likely consequences: What harm could result from the breach
Measures taken: Steps to address and mitigate the breach
Contact details: DPO or contact point for more information
When a breach occurs, minutes matter. Having procedures in place before an incident can mean the difference between manageable containment and regulatory enforcement. Your plan should define roles, escalation procedures, and include template notification documents.
Compliance Requirements
Section 30 of the Act requires that every processing activity must rest on one of six lawful bases. You must determine and document your lawful basis before processing begins. Different requirements apply for sensitive personal data, which generally requires explicit consent.
Freely given, specific, informed, and unambiguous indication of the data subject's wishes. Must be as easy to withdraw as to give.
Best for: Marketing, cookies, optional services
Processing necessary for the performance of a contract to which the data subject is a party, or to take steps at their request before entering into a contract.
Best for: Employee data, customer orders, service delivery
Processing necessary for compliance with a legal obligation to which the controller is subject under Kenyan or EU law.
Best for: Tax records, regulatory reporting, court orders
Processing necessary to protect the vital interests of the data subject or another natural person, typically life-or-death situations.
Best for: Emergency medical treatment, protecting life
Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
Best for: Public health, social protection, law enforcement
Processing necessary for legitimate interests pursued by the controller or third party, except where overridden by data subject rights.
Best for: Fraud prevention, IT security, internal reporting
Documentation Required: You must document the lawful basis for each processing activity in your records of processing. If relying on consent, ensure mechanisms allow withdrawal as easily as giving consent. For sensitive personal data, explicit consent is generally required.
Compliance Requirements
The Act mandates appointment of a Data Protection Officer (DPO) in specific circumstances. The DPO must have expert knowledge of data protection law and practices, operate independently, and report directly to the highest management level.
All public bodies and public authorities must appoint a DPO, regardless of their processing activities.
Includes government agencies, state corporations, and public institutions
Organizations whose core activities involve regular and systematic monitoring of data subjects on a large scale.
Examples: Online tracking, behavioral advertising, CCTV networks
Organizations whose core activities involve processing sensitive personal data on a large scale.
Examples: Health data, biometric data, genetic information
Inform and advise on data protection obligations
Monitor compliance with the Act and policies
Cooperate with the ODPC and be contact point
Provide advice on DPIAs when required
Expert knowledge of data protection law
Independence in performing duties
Report to highest management level
No conflict of interest with other duties
Chapter Five
Practical Steps to Achieve Compliance
Your Action Plan
Document what personal data you hold, where it comes from, how it's processed, where it's stored, who has access, and retention periods.
If you meet thresholds or operate in mandatory industries, complete registration through the ODPC portal and pay prescribed fees.
Document the lawful basis for each processing activity. For sensitive data, ensure you meet stricter requirements including explicit consent.
Implement technical and organizational measures that ensure data protection principles are integrated into processing activities from the start.
If required, appoint a qualified Data Protection Officer with expert knowledge, independence, and direct reporting to senior management.
Create clear, concise, and transparent privacy notices specifying purposes, lawful basis, retention periods, rights, and contact details.
Implement procedures to receive and respond to data subject requests within statutory timeframes (typically 30 days).
Develop a data breach response plan defining roles, escalation procedures, and template notification documents for the 72-hour ODPC notification.
Ensure data processing agreements are in place with all processors specifying subject matter, duration, nature, and security requirements.
Train staff on data protection principles, security measures, breach reporting, and handling data subject requests. Document all training.
Your Action Plan
Data protection compliance has moved beyond documentation. Organizations that treat compliance as structural governance infrastructure, not paperwork, gain measurable commercial advantage. In competitive markets, demonstrable compliance becomes a differentiator.
Investors conduct due diligence on data protection practices. Compliance demonstrates mature governance and reduces investment risk, making your organization more attractive to funding.
Compliance documentation accelerates due diligence
Many RFPs now require evidence of data protection compliance. Being compliant makes you eligible for opportunities that non-compliant competitors cannot pursue.
Compliance opens doors to new business opportunities
Privacy-conscious consumers prefer organizations that demonstrate commitment to protecting their data. Transparent data practices build long-term customer loyalty.
Trust is a competitive differentiator
Structured compliance reduces the risk of data subject complaints, regulatory enforcement, and civil litigation. Prevention is significantly cheaper than remediation.
Avoid fines, compensation, and reputational damage
The real question is no longer "Do we have a privacy policy?" but "Is our organization structurally compliant?" In 2026, demonstrable data protection compliance is not just a legal requirement—it's a commercial necessity and competitive advantage.
The Time to Act is Now
Avoid Costly Penalties - Become Fully Data Protection Compliant
Most organizations think having a privacy policy is enough — until enforcement begins. The Office of the Data Protection Commissioner (ODPC) is actively enforcing compliance. Non-compliance doesn’t just mean fines - it risks your reputation, clients, and business continuity.
KES 5M
Maximum Fine
72 Hours
Breach Notification
24 Months
Registration Validity
No obligation • Form Takes 1 minute • Expert guidance from KKCO East Africa LLP
