Neurobyte Technologies

Kenya Data Protection Act vs GDPR: What's Actually Different?

Kenya's Data Protection Act, 2019 borrows GDPR's architecture — same lawful bases, same data-subject rights. The differences that matter: ODPC registration, cross-border transfer rules, and enforcement. What to do if you're in scope for both.

If you already understand GDPR, you understand most of Kenya's Data Protection Act, 2019. It was drafted with the European regulation clearly in view, and the resemblance is deliberate rather than coincidental — it eases adequacy discussions and gives Kenyan organisations a familiar framework.

The overlap is genuinely large. The gaps are where organisations get caught, because a team that assumes GDPR compliance transfers wholesale will miss obligations that exist only in Kenya.

Kenya DPA, 2019GDPR
RegulatorOffice of the Data Protection Commissioner (ODPC)National supervisory authorities
Mandatory registrationYes, for many controllers and processorsNo general equivalent
Lawful basesSubstantially the same setSix lawful bases
Data-subject rightsAccess, rectification, erasure, objection, portabilitySame core rights
DPO requiredFor certain controllers and processorsFor certain controllers and processors
DPIA for high-risk processingRequiredRequired
Breach notificationTo the Commissioner where real risk arises72 hours to supervisory authority
Cross-border transferOwn conditions; localisation for some categoriesAdequacy, SCCs, BCRs
Extraterritorial reachYesYes

The big one: registration with the ODPC

GDPR has no general registration requirement. Kenya does, and this is the obligation most foreign-owned and GDPR-fluent organisations miss entirely, because nothing in their European experience prepares them to look for it.

Not everyone must register. The Registration of Data Controllers and Data Processors Regulations exempt certain smaller entities on turnover and headcount thresholds — but the exemption falls away where processing personal data is a core activity, which captures far more organisations than owners expect: health, education, financial services, recruitment, telecommunications, and anyone conducting large-scale monitoring or handling sensitive personal data.

Because the thresholds and exemptions are specific, periodically updated, and turn on your actual processing rather than your size, we assess them against the current regulations rather than working from a rule of thumb. Getting this wrong is not a technicality; registration is a statutory duty.

Cross-border transfer works differently

GDPR restricts transfers outside the EEA through a well-worn machinery of adequacy decisions, standard contractual clauses and binding corporate rules. Kenya's Act imposes its own conditions on transferring personal data out of the country, and for certain categories of data there are localisation expectations that have no GDPR analogue at all.

For a Kenyan business running on Google Workspace, Microsoft 365 or AWS — meaning nearly all of them — this is not academic. Your personal data is already leaving Kenya. The Act does not forbid that, but it does require you to have established a valid basis for it and to be able to demonstrate that you did. Most organisations we assess cannot.

Where they are effectively the same

The principles are near-identical: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability. Work done for one is very largely reusable for the other.

The data-subject rights map closely — access, rectification, erasure, objection, portability, and rights around automated decision-making. Both require a Data Protection Impact Assessment for high-risk processing, both require a Data Protection Officer for certain organisations, and both reach beyond their own borders to catch foreign entities processing residents' data.

This is why we build one programme rather than two. The data mapping, the records of processing, the retention schedules, the vendor due diligence and the breach machinery serve both regimes. Only registration, transfer basis and regulator engagement need separate treatment.

What to do if you are in scope for both

Many Kenyan organisations are, and not only the obvious ones. If you have EU customers, EU staff, or you process data on behalf of a European client, GDPR applies to you regardless of where you sit.

Build to the higher standard for each obligation and document once. In practice this means adopting GDPR's 72-hour breach notification discipline as your internal standard even though Kenya's wording differs, maintaining a single record of processing that satisfies both, and running one DPIA process. Then handle separately the two things that genuinely diverge: ODPC registration, and your lawful basis for exporting data from Kenya.

Do not run two compliance programmes. We have inherited organisations that did, and the second one is always out of date — which means it is worse than not having it, because it evidences a control you are not operating.

Key takeaways

  • Kenya's Act closely mirrors GDPR: same principles, near-identical data-subject rights, same DPIA and DPO logic.
  • ODPC registration has no GDPR equivalent and is the obligation GDPR-fluent teams most often miss.
  • Cross-border transfer rules differ, and matter for anyone on Microsoft 365, Google Workspace or AWS.
  • In scope for both? Build one programme to the higher standard; treat only registration and transfer separately.
  • Two parallel compliance programmes always leaves one stale — which is worse than having only one.

Frequently asked questions

Does GDPR apply to Kenyan companies?

It can, and it does so more often than Kenyan directors assume. GDPR reaches organisations outside the EU where they offer goods or services to individuals in the EU, or monitor the behaviour of individuals in the EU. A Nairobi SaaS company with European customers is in scope. So is a Kenyan firm processing personal data as a supplier to a European business, typically through obligations flowed down contractually in a data processing agreement. Being in scope does not mean starting over, because the underlying work is largely shared with your Kenyan obligations — but it does mean the higher standard applies where the two diverge.

What are the penalties under the Kenya Data Protection Act?

The Act empowers the Data Commissioner to issue enforcement notices and to impose administrative penalties, calculated against a statutory ceiling or a percentage of annual turnover, whichever is lower. Data subjects hold a separate right to compensation for damage suffered, and certain acts under the legislation carry criminal liability. Because the specific ceilings sit in statute and the Commissioner's enforcement practice continues to develop, we would rather walk you through your organisation's actual exposure than have you rely on a figure copied from a blog. In our experience the reputational consequence of a published enforcement notice exceeds the fine in any case.

If we comply with GDPR, are we automatically compliant in Kenya?

No, and this assumption is the single most common error we encounter with multinational and foreign-owned businesses. A GDPR programme gives you the great majority of the substance — principles, rights handling, DPIAs, breach machinery, records of processing — but it will not have caused you to register with the ODPC, because GDPR has no such requirement to have taught you to look. Nor will it have established a valid basis under Kenyan law for exporting personal data out of Kenya. Those two gaps are precisely the ones a regulator notices first, because they are the easiest to check.

Do we need a Data Protection Officer under Kenyan law?

Certain controllers and processors must designate one, in particular public bodies and organisations whose core activities involve regular and systematic monitoring of data subjects or large-scale processing of sensitive personal data — logic that will be familiar to anyone who has read GDPR's equivalent. The DPO must act independently, must not hold a role that conflicts with the position, and must report to the highest level of management. The role may be held by an external party, which is why outsourcing is common: a smaller organisation rarely has anyone internally who can hold both the required expertise and the required independence at once.