Until the year 2019, Kenya did not have a legislative framework regulating data privacy in the country save for the constitutional guarantees on privacy. Now, our data protection regime is underpinned by the Data Protection Act. The Data Protection Act was enacted to give effect to Article 31 of the Kenyan Constitution which speaks to privacy as a fundamental and human right.
Essentially, the Data Protection Act imposes rules on the control and processing of personally identifiable information. This is any information relating to a natural person who can be identified, directly or indirectly, by that information such as: an identification number (National ID or PIN), location data, online identifier or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity. The Act borrows largely from the EU General Data Protection Regulation.
In this article, we delve into some FAQS on Data Protection in Kenya
- Am I bound by the provisions of the Data Protection Act of Kenya? The Data Protection Act of Kenya applies to all businesses or entities holding and/or processing the personal data of persons resident in Kenya regardless of the business’ geographic location. Similarly, the legislation doesn’t distinguish between Kenyan citizens and non-citizens when it comes to protection of their privacy. If the data subject is located in Kenya, they are protected by the legislation where an entity or business is collecting, recording, storing, preserving, changing, revising, transmitting or even classifying their personal data.
- Does my company need a Data Protection Offer Not necessarily. Under Kenya’s data privacy laws, a data protection officer (DPO) may be appointed if an entity is a public body or where an entity’s core activities involve regular and systematic monitoring of individuals or where an entity routinely processes sensitive data. Institutions such as health care facilities, airlines and banks would therefore likely need to appoint a DPO.
- Does my company really need a data protection policy? There is no express or specific requirement under Kenyan law that mandates adoption of a data protection policy. Nevertheless, having one in place helps provide a framework which enables businesses and their employees or agents to discharge the legal duty in so far as data processing is concerned.
- How can I lawfully deploy CCTV for my business premises CCTV can be invasive and can give access to personal data such as facial images of persons, their names and other personal details that are caught on footage. To be compliant a business must ensure that:
- A notice on the premises visible to persons accessing the premises is put up alerting them that the area is under CCTV surveillance.
- CCTV footage is only used for its intended purpose and where possible encrypted.
- Access to CCTV footage is restricted to a few select security or administrative personnel.
- Is consent always required collecting and using personal data? No. Consent is one lawful basis for processing, it is not the only one and may not be the most appropriate in some instances. There are five other bases for processing personal data as follows:
- contract: you do not need consent for example to fulfil your obligations under an employment contract.
- compliance with a legal obligation: if you are required by Kenya law to process the data for a particular purpose such as banks processing KYC data, employees collecting and storing employee records, companies keeping personal data of shareholders and directors – you do not need consent.
- vital interests: you do not need consent if it is necessary to process data for the protection or preservation of a life.
- public interest: you do not need consent where you need to process personal data to undertake official functions or a task in the public interest.
- legitimate interests: you can process personal data without consent if you need to do so for a genuine and legitimate reason (including commercial benefit).
- How is marketing affected by the data protection laws in Kenya? Businesses must now be explicit about the ways in which they collect personal data for marketing purposes. Businesses can no longer rely on implied consent to direct marketing as the law now enforces explicit consent as a precondition to this.
- What regulatory thresholds does my business need to meet to be complaint in the processing of personal data? An entity must abide by the data principles to avoid compliance risks in personal data processing:
- Personal data must be processed in accordance with the right to privacy of the individual;
- processed lawfully, fairly and in a transparent manner;
- Personal data must be collected for explicit, specified and legitimate purposes and processed for only those specific purposes;
- Personal data must be collected only where a valid explanation is provided; and
- Personal data must be accurate and, where necessary, kept up to date with inaccuracies rectified.
- What happens when a complaint is lodged against your business to the Office of the Data Commissioner? The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 govern the procedure of receipt and determination of complaints filed by a data subject who feels that an organization has infringed on his rights or breached the Data Protection Act. Where a complaint is lodged, the Office of the Data Commissioner has full mandate to investigate such a complaint. In addition to monitoring a business to assess compliance, the Data Commissioner can upon obtaining a warrant from a Court enter an organization’s premises to assess compliance with data protection. If the Data Commissioner directs an organization or any person to supply information or documents in connection with the investigation, compliance is mandatory. After concluding its investigations, the office of the Data Commissioner may make the following determinations:
- make recommendations as to how an organization can improve data protection;
- issue an enforcement notice imposing administrative fines or penalties;
- order compensation to be paid to the complainant; and/or
- recommend criminal proceedings against company and its officers.
- What questions should businesses be posing to themselves to assess their level of data protection compliance
- Do we have the right kind and level of consent?
- Who has access to our data?
- How prepared are we for a data breach?
- Do we know the financial implications or cost of a data leak?
- Can we demonstrate and/or measure our compliance with the data protection act
- Do we undertake routine review of our data systems, policies and security processes?
- Where can I get general guidance on data privacy compliance in Kenya? One helpful source is the Office of the Data Protection Commissioner. This is the regulatory body having supervisory oversight of data protection compliance in Kenya and provides practical advice on how to comply with data protection regulation and how to improve data protection practices in your business. You can access these practical guides at the ODPC website: