What Are the 7 Data Protections?

KNlegalassociates > Blog > Uncategorized > What Are the 7 Data Protections?

The Data Protection Act 2019 established seven core principles that govern how Kenyan organizations handle personal data. They mirror international laws like the GDPR and aim to safeguard individual privacy through lawful, transparent, and accountable processing.

  1. Lawfulness, Fairness & Transparency

Collect data only on a valid legal basis and inform data subjects how it will be used.
Compliance tips: create plain-language privacy notices, record consent, and identify processing bases (contract, legal duty, legitimate interest etc.).

  1. Purpose Limitation

Use data solely for the specific purpose collected. Example: emails for billing cannot be repurposed for marketing without fresh consent.

  1. Data Minimization

Gather only information necessary for your stated objective.

  1. Accuracy

Maintain accurate records and allow individuals to correct errors promptly.

  1. Storage Limitation

Retain personal data only for as long as needed. Implement retention schedules and secure deletion procedures.

  1. Integrity and Confidentiality (Security)

Use technical and organizational controls such as encryption, restricted access, and staff training. Report breaches to the ODPC within 72 hours if they pose high risk.

  1. Accountability

Demonstrate compliance through documentation, impact assessments, and (if required) appointing a Data Protection Officer (DPO).

Practical Steps for Businesses

Conduct data audits annually.

Adopt a written privacy management framework.

Train employees on data handling.

Encrypt and back up sensitive information.

Review vendor contracts for data clauses.

How KN Legal Associates Can Help

Our Data Protection Services team advises businesses on compliance frameworks, privacy policies, and ODPC engagement. Contact us for tailored legal guidance.
Disclaimer: This content is for informational purposes only and does not constitute legal advice.

FAQs

  1. What are the 7 principles of data protection in Kenya? Lawfulness & fairness, purpose limitation, data minimization, accuracy, storage limitation, security, accountability.
  2. Who enforces data protection laws? The Office of the Data Protection Commissioner (ODPC).
  3. Do SMEs need a DPO? Only if processing sensitive or large-scale data, but it’s best practice.
  4. Penalties for non-compliance? Fines up to KES 5 million or 1 % of turnover.
  5. How to prove accountability? Keep records, perform audits, train staff.

Leave a Reply

Your email address will not be published. Required fields are marked *