The Global Data Dilemma
Modern corporations depend on international data flows whether through shared HR systems, cloud platforms, or cross-border customer services. For multinationals entering Kenya, the question is not if data will cross borders, but how.
Kenya’s Legal Framework
Section 48 of the Data Protection Act restricts transfers of personal data outside Kenya unless specific safeguards are in place. The ODPC has issued guidance requiring companies to demonstrate “adequate protection” for Kenyan data abroad.
Approved Transfer Mechanisms
- Adequacy Decisions: Transfers to jurisdictions recognized by Kenya as having adequate protection.
- Contractual Clauses: Standardized clauses that ensure data abroad is treated to Kenyan standards.
- Data Subject Consent: Possible, but not sufficient for systematic transfers.
- Regulatory Approval: For certain sensitive data or special transfers.
Risks of Non-Compliance
Failure to comply could result in:
- Suspension of cross-border transfers.
- Regulatory penalties.
- Inability to process payments or HR functions.
Practical Guidance for Corporations
- Map data flows early.
- Incorporate transfer clauses into contracts with global affiliates and vendors.
- Engage the ODPC where approval is uncertain.
- Build flexible data infrastructure that anticipates evolving rules.
Takeaways
- Cross-border transfers are a critical compliance issue.
- Legal safeguards must be in place before operations begin.
- Kenya’s ODPC is taking cues from GDPR, but localization is essential.
Conclusion
Kenya is open for international business but companies must respect local sovereignty over personal data. With careful planning and legal structuring, compliant data flows can be achieved without disrupting operations.
Author bio: Kathurima N Advocates Advocate of the High Court of Kenya, specialist in data protection & market entry advisory. Book a consultation