In today’s digital economy, customer trust is built on more than just good service — it’s built on how well you protect their personal information. Kenya’s Data Protection Act, 2019 (DPA) introduced strict rules on how organisations collect, store, use, and share personal data. Whether you run a small startup, a school, NGO, hospital, or multinational company, compliance is no longer optional — it’s a legal requirement.
This article breaks down the law in simple terms and outlines what every business must do to stay compliant.
What Is Personal Data?
Under the Act, personal data is any information that can identify a person, such as:
-
Full names, phone numbers, emails
-
ID or passport numbers
-
Biometric data (e.g. fingerprints, facial scans)
-
Financial or health records
-
Location, IP addresses, device identifiers
If your organisation handles any of the above — even in simple spreadsheets or WhatsApp communications — you are subject to the Act.
Key Obligations for Businesses Under the Data Protection Act
Here’s what every business must do:
✅ 1. Register as a Data Controller or Processor (If Required)
All organisations that collect or process personal data as part of their core operations must register with the Office of the Data Protection Commissioner (ODPC). This includes:
-
Banks, Saccos, Hospitals
-
Schools, HR firms, E-commerce stores
-
Digital platforms, Fintech apps, NGOs
Failure to register may lead to penalties or legal enforcement.
✅ 2. Obtain Proper Consent Before Collecting Data
You must clearly inform users:
-
What data you’re collecting
-
Why you’re collecting it
-
How long you’ll keep it
-
Whether it will be shared with third parties
Silence, pre-ticked boxes, or hidden clauses do not count as valid consent.
✅ 3. Draft and Display a Privacy Policy
Your business must publicly display a privacy policy — especially on websites, apps, or forms where data is collected.
✅ 4. Secure the Data You Collect
You are legally required to protect personal data from loss, hacking, or unauthorised access. This may include:
-
Password protection & encryption
-
Restricted employee access
-
Regular data backups
-
Secure storage (physical or digital)
✅ 5. Allow Users to Access or Delete Their Data
Customers have the legal right to request:
-
A copy of their data held by you
-
Correction or deletion of that data
You must respond within a reasonable time.
What Are the Penalties for Non-Compliance?
The ODPC can issue fines of up to:
Ksh 5 million or 1% of your annual turnover — whichever is higher.
Beyond fines, a data breach can lead to reputational loss and lawsuits.
How to Get Started with Compliance
Here’s a quick checklist:
| Compliance Step | Status |
|---|---|
| Data Protection Audit Conducted | ☐ |
| Registered with ODPC | ☐ |
| Privacy Policy in Place | ☐ |
| Consent Forms Updated | ☐ |
| Employee Data Handling Trained | ☐ |