Why Registration Matters

Kenya’s Data Protection Act requires any entity handling personal data of Kenyan residents even subsidiaries of foreign companies to register with the ODPC. Many companies assume compliance is automatic if they follow global standards like GDPR. This is a mistake. Local adaptation is essential.

The 5-Step Checklist for Foreign Subsidiaries

Data Mapping

Understand what categories of personal data you will collect in Kenya (customer, employee, vendor). Identify sensitive categories, such as health or financial data.

ODPC Registration

Determine whether your entity qualifies as a controller, processor, or both. File registration forms and pay fees before commencing processing.

Policy Localization

Adapt global policies to Kenyan requirements. Key differences include consent provisions, children’s data protection, and data subject rights timelines.

Cross-Border Transfers

If you intend to transfer data outside Kenya, assess mechanisms like contractual clauses or adequacy decisions. The ODPC closely monitors cross-border flows.

Incident Response

Prepare a breach response plan. Kenyan law requires notification to the ODPC and affected individuals within 72 hours.

Practical Takeaways

Do not assume GDPR compliance equals Kenyan compliance.

Registration with ODPC is mandatory before processing begins.

Tailor policies and contracts to Kenyan law.

Establish clear incident response procedures.

Conclusion

For foreign subsidiaries, compliance is not a “later” task. It is part of the market entry strategy. A well-prepared compliance plan ensures smoother operations and builds trust with both regulators and consumers.