Introduction

Kenya’s Data Protection Act (the “DPA”) entered into force on 25 November 2019. 

The DPA gives effect to the provisions of Article 31 of Kenya's Constitution which provide for the fundamental right to privacy. The DPA is largely modelled on European Union’s GDPR.

Recent Developments

We wish to update you on recent developments in relation to the DPA and on issues relating to data protection in Kenya generally as follows:

• The DPA establishes the Office of the Data Protection Commissioner (the “ODPC”) headed by a Data Commissioner. The ODPC has been set up and the first Data Commissioner (Ms Immaculate Kassait) was appointed on 16 November 2020.
• The ODPC has launched its official website- www.odpc.go.ke which aims to be a resource tool for provision of data protection information such as guidelines compliance requirements and rights of data subjects. Through the website, members of public will be able to report breaches, file complaints or report privacy concerns with the Data Commissioner. 
• The DPA empowers the Data Commissioner to, inter alia, make regulations setting out thresholds for mandatory registrations by data controllers and data processors.
• In January 2021, the Cabinet Secretary for Information, Communications, Technology, Innovation and Youth Affairs constituted the Taskforce on the Development of Data Protection General Regulations (the “Taskforce”) to, inter alia, develop data protection regulations, conduct a comprehensive audit of the DPA, identify gaps in the law and propose amendments.
• We anticipate that with the appointment of the Taskforce, the regulations setting out the thresholds for mandatory registration under the DPA are likely to be enacted soon.
• The Data Commissioner has issued two Guidance Notes: (1) Guidance Note on Consent and (2) Guidance Note on Data Protection Impact Assessment. The Guidance Note on Consent provides guidance on the processing of personal data on the basis of consent whereas the Guidance Note on Data Protection Impact Assessment provides guidance to data controllers and data processors on when and how to conduct Data Protection Impact Assessments.
• In addition, the Data Commissioner has prepared the following draft Guidelines that are awaiting comments and input from the public: Guidelines on Registration of Data Controllers and Processors; Certification of Data Controllers and Processors; Appointment of Data Protection Officers; and Data Sharing Code and Enforcement. We shall provide updates once these Guidelines are finalised and made public.

Way Forward

Given all these recent developments, we recommend that data controllers and data processors take immediate steps to ensure compliance with the DPA including undertaking audits on how they process personal data, putting in place data privacy policies, data privacy notices, data transfer/sharing agreements and data storage policies and reviewing/inserting data protection clauses in standard form contracts.