How to Comply with the Kenya Data Protection Act 2019: A Step-by-Step Guide for Businesses

Kenya's Data Protection Act 2019 represents one of Africa's most comprehensive data privacy frameworks. Enforced by the Office of the Data Protection Commissioner (ODPC), this legislation imposes strict obligations on any business collecting, processing, or storing personal data of Kenyan residents. Non-compliance is not merely a regulatory inconvenience—it exposes your organisation to fines of up to KES 5 million, criminal prosecution, and irreversible reputational damage.

This guide provides a practical, step-by-step framework for how to comply with the Kenya Data Protection Act. Whether you operate a fintech startup in Nairobi, an e-commerce platform serving East Africa, or a multinational entering the Kenyan market, these compliance steps are essential for lawful operation.

Step 1: Determine Whether the Data Protection Act Applies to Your Business

The Kenya Data Protection Act 2019 applies to all data controllers and processors handling personal data of individuals within Kenya. This includes:

• Companies incorporated in Kenya, regardless of where data processing occurs
• Foreign companies offering goods or services to individuals in Kenya
• Any organisation monitoring the behaviour of Kenyan residents

If your business collects names, email addresses, phone numbers, location data, payment information, or any information relating to an identified or identifiable natural person—the Act applies to you. There is no minimum threshold for compliance. Even small businesses processing minimal data must adhere to the Act's requirements.

Step 2: Conduct a Comprehensive Data Audit

Before implementing compliance measures, you must understand what personal data you hold, where it resides, and how it flows through your organisation. A thorough data audit should document:

• Categories of personal data collected (contact details, financial information, biometric data, etc.)
• Legal basis for processing each category of data
• Data collection methods and points of entry
• Storage locations, including cloud services and third-party processors
• Data retention periods and deletion procedures
• International data transfers and recipient jurisdictions

This audit forms the foundation of your compliance programme. Without accurate documentation of your data processing activities, you cannot implement effective controls or respond to regulatory inquiries. Many businesses engage specialist data protection legal services to ensure their audit captures all relevant processing activities.

Step 3: Register with the Office of the Data Protection Commissioner

Under the Data Protection Act, data controllers and processors meeting specific thresholds must register with the ODPC. Registration requirements apply to:

• Public bodies and state corporations
• Companies with annual turnover or assets exceeding prescribed thresholds
• Businesses processing sensitive personal data at scale
• Engaged in direct marketing, credit referencing, or profiling

Registration involves submitting detailed information about your processing activities, paying the prescribed fees, and maintaining up-to-date records. The ODPC actively monitors compliance with registration requirements, and failure to register when required constitutes an offence under the Act.

Step 4: Establish a Lawful Basis for Processing

Every processing activity must rest on one of the lawful bases specified in Section 30 of the Data Protection Act. These include:

• Consent: Freely given, specific, informed, and unambiguous indication of the data subject's wishes
• Contractual necessity: Processing necessary for the performance of a contract with the data subject
• Legal obligation: Processing necessary for compliance with a legal obligation
• Vital interests: Processing necessary to protect the vital interests of the data subject
• Public interest: Processing necessary for the performance of a public interest task
• Legitimate interests: Processing necessary for legitimate interests pursued by the controller (subject to balancing test)

Document the lawful basis for each processing activity in your records. If relying on consent, ensure mechanisms allow withdrawal as easily as giving consent. For sensitive personal data, stricter conditions apply, and explicit consent is generally required.

Step 5: Implement Data Protection by Design and Default

The Data Protection Act requires organisations to implement technical and organisational measures that ensure data protection principles are integrated into processing activities. This means:

• Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing
• Pseudonymising personal data where possible
• Implementing appropriate security measures (encryption, access controls, monitoring)
• Minimising data collection to what is strictly necessary
• Establishing retention schedules with automatic deletion

Step 6: Appoint a Data Protection Officer (If Required)

The Data Protection Act mandates appointment of a Data Protection Officer when:

• Processing is carried out by a public body or public authority
• The core activities of the controller or processor consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale
• The core activities consist of processing sensitive personal data on a large scale

The DPO must have expert knowledge of data protection law and practices, operate independently, and report directly to highest management level. Many organisations choose to outsource DPO functions to specialist providers rather than maintaining full-time internal capacity.

Step 7: Draft Compliant Privacy Policies and Notices

Your privacy policy must provide clear, concise, and transparent information about how you process personal data. Under Kenyan law, privacy notices must specify:

• The identity and contact details of the data controller
• Purposes of processing and legal basis
• Recipients or categories of recipients
• International transfer details and safeguards
• Retention periods or criteria for determining them
• Rights of data subjects and how to exercise them
• Right to lodge complaints with the ODPC

Step 8: Establish Data Subject Rights Procedures

Kenyan data subjects enjoy comprehensive rights under the Act, including access, rectification, erasure, restriction of processing, data portability, and objection rights. Your organisation must establish procedures to receive and respond to these requests within statutory timeframes— typically within 30 days of receipt.

Implement mechanisms for data subjects to exercise their rights easily, train relevant staff on handling requests, and maintain records of all interactions. Failure to respond appropriately to data subject requests constitutes a breach of the Act and may trigger regulatory action.

Step 9: Prepare for Data Breach Response

The Data Protection Act requires data controllers to notify the ODPC of personal data breaches within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in high risk to the rights and freedoms of data subjects, they must also be notified without undue delay.

Develop a data breach response plan that defines roles and responsibilities, establishes escalation procedures, and includes template notification documents. When a breach occurs, minutes matter—having procedures in place before an incident can mean the difference between manageable containment and regulatory enforcement.

Step 10: Review Third-Party Processor Arrangements

If you engage third parties to process personal data on your behalf—cloud providers, payment processors, marketing platforms—you remain responsible for their compliance. The Act requires data processing agreements that specify:

• Subject matter and duration of processing
• Nature and purpose of processing
• Type of personal data and categories of data subjects
• Controller obligations and rights
• Processor subordination and security requirements

When to Seek Professional Data Protection Legal Support

While this guide provides a framework for compliance, the Kenya Data Protection Act contains complexities that require specialist interpretation. Complex international transfers, automated decision-making systems, large-scale processing operations, and industry-specific obligations all benefit from professional legal guidance.

Bonyo Law provides comprehensive data protection legal services to organisations navigating Kenyan and African data privacy law. From compliance audits and DPO advisory to breach response and regulatory engagement, our specialists ensure your data protection programme meets both legal requirements and business operational needs.