Kenya Data Protection Act: A Practical Compliance Checklist for Businesses

A plain-English Kenya Data Protection Act (2019) compliance checklist — registration with the ODPC, lawful processing, data subject rights, breach notification and penalties. From Neurobyte Technologies.

Kenya Data Protection Act — what you need to do, in short

If your business collects, stores or uses personal data about people in Kenya — customers, staff, patients, users — the Data Protection Act, 2019 applies to you, regardless of your size or sector. At a minimum you must: register with the Office of the Data Protection Commissioner (ODPC) if you meet the thresholds, only process data with a lawful basis, tell people how you use their data, honour their rights over it, secure it, and report serious breaches within 72 hours. Get those right and you've covered most of your obligations.

The rest of this guide turns that into a practical checklist. (This is general guidance, not legal advice — confirm specifics for your situation with the ODPC or a qualified advisor.)

Who the Act applies to

The Act covers any "data controller" (you decide why and how personal data is processed) and any "data processor" (you process it on someone else's behalf). It applies to businesses established in Kenya, and to those outside Kenya that process the personal data of people in Kenya. There is no blanket small-business exemption from the principles — a one-person shop with a customer list is still a data controller.

The compliance checklist

1. Map your data. Before anything else, know what personal data you hold, where it lives, why you have it, who you share it with, and how long you keep it. You cannot protect or account for data you haven't mapped. This "record of processing" is the foundation everything else builds on.

2. Register with the ODPC (if you meet the threshold). Many data controllers and processors must register with the Office of the Data Protection Commissioner. Smaller entities below the turnover and headcount thresholds may be exempt — but businesses in sensitive sectors (such as health, finance, telecommunications and education) and those handling large volumes or sensitive data are generally required to register regardless of size. Check the current mandatory-registration criteria and fees on the ODPC website, because they're updated periodically.

3. Establish a lawful basis for every processing activity. You need a valid reason to process personal data — typically consent, performance of a contract, a legal obligation, protecting someone's vital interests, a public task, or legitimate interests. Consent must be freely given, specific and informed; pre-ticked boxes and "agree to everything" bundles don't count. Identify which basis applies to each activity you mapped in step 1.

4. Write a clear privacy notice. Tell people, in plain language, what data you collect, why, what your lawful basis is, who you share it with, how long you keep it, and how they can exercise their rights. This is usually a privacy policy on your website plus notices at the point of collection.

5. Be ready to honour data subject rights. People have the right to be informed, to access their data, to correct it, to have it deleted, to object to processing, and to data portability. You need a process to receive and respond to these requests within the timelines the Act sets — not scramble when the first one arrives.

6. Take extra care with sensitive personal data. Health data, ethnicity, religious beliefs, sexual orientation, financial details and similar categories get stronger protection and usually require an explicit basis and tighter controls. If you handle them, treat them as high-risk by default.

7. Run a Data Protection Impact Assessment (DPIA) for high-risk processing. Before launching anything likely to pose a high risk to people's rights — large-scale profiling, processing sensitive data at scale, new surveillance — assess the risks and how you'll mitigate them. Document it.

8. Secure the data. The Act requires appropriate technical and organisational security. In practice that means access controls, encryption, secure backups, staff training, vendor due diligence, and a plan for when something goes wrong. Security is where most breaches — and most penalties — actually originate.

9. Control cross-border transfers. If you send personal data outside Kenya (including to many cloud providers), you must ensure appropriate safeguards or a valid basis for the transfer. Some categories of processing may need to be carried out on servers located in Kenya. Know where your data physically goes.

10. Prepare for breaches. If a breach is likely to harm people, you must notify the Data Commissioner within 72 hours of becoming aware of it, and inform affected individuals where there's real risk. That's only achievable if you have detection and a response plan in place beforehand.

11. Appoint a Data Protection Officer where required. Certain organisations must designate a DPO to oversee compliance. Even where it isn't mandatory, naming someone accountable for data protection is good practice.

What's at stake

The Data Commissioner can impose administrative penalties of up to KES 5 million, or up to 1% of an undertaking's annual turnover, whichever is lower — and certain offences carry heavier criminal penalties. But the bigger risk for most businesses is reputational: losing customer trust after a public breach or complaint usually costs far more than the fine.

How Neurobyte helps

Neurobyte Technologies helps Kenyan businesses build compliance into their systems rather than bolting it on afterwards. We carry out data mapping and DPIAs, design privacy-respecting architectures, implement the security controls the Act expects, support ODPC registration, and put breach detection and response in place through our security operations. Compliance done well isn't just paperwork — it's a more secure, more trustworthy business.

Need help getting compliant? Book a free consultation: +254 725 722 965 or info@neurobyte.co.ke.