Data Protection, Overview


The Constitution of Kenya [“the Constitution”] guarantees the right to privacy as a fundamental right. In 2019, the Data Protection Act, 2019 [“the Act”] was enacted to govern the processing of the Data lawfully while maintaining security safeguards to protect personal data. The Act seeks to;

  1. Give effect to the Right to Privacy under the Constitution of Kenya, 2010
  2. Establishment of the Office of the Data Commissioner;
  3. Regulate the Processing of Personal Data;
  4. Provide for the rights of data ‘Subjects’ [person whose information is collected e.g.
    employees, service providers or third parties either directly or indirectly]; and
  5. Obligation of the data ‘Controllers [person who determines the purpose and means of
    processing of Personal data] and ‘Processors’ [Person who processes personal date
    on behalf of the data controller]


The Principles that the Data Protection Act seeks to enforce include;

  1. Processing of Data Lawfully;
  2. Minimise Collection of data
  3. Restrict further processing of data;
  4. Requires data controllers and data processors to ensure data quality;
  5. Establish and maintain security safeguards to protect personal data

How does the Kenya Data Protection Act protect Personal Data and Privacy?

To enforce the Kenya Data Protection Act, the Office of the Data Commissioner [ODPC] was formed whose mandate is to ensure that the provisions of the Act are followed through:


Organizations that process personal data are held to high regulation standards by the ODPC which ensure that the interests of the data subject are protected


Organizations in the Scope of
the Data Protection Act are subject to oversight of the Officer of the Data Protection Commissioner, who will monitor and audit the data collection procedures to ensure compliance with the Act.


An Enforcement Notice may be issued by the Data Protection Commissioner outlining the consequences of failure to comply with the Act, which may include fines and penalties.

Who needs to Comply?

Compliance with the Kenyan Data Protection Act is mandatory and all organizations as listed below and any company collecting any personal data must comply:

Business with a turn over of
more than Kenya Shillings

Businesses with more than 10

Businesses dealing with
Personal data such as Client
records, account details,
medical history, next of kin,
service providers and
supplier information etc

Failing to comply with the Kenya Data Protection Act leads to expensive fines, prison or both.

Organizations are fined up to
Kenya Shillings 5,000,000/

Individuals faces fines in
excess of Kenya Shillings
3,000,000, years in prison or