The Data Protection Act, 2019 (DPA 2019) is one of the most important pieces of legislation for businesses in Kenya today. It established a legal framework that protects the privacy of individuals while setting out obligations for organizations that collect and process personal data.
For businesses, this law is not just about legal compliance. It is about building trust, protecting reputation, and avoiding costly penalties. Let us explore what the Act means for your organization, the key principles it introduces, and the practical steps you can take to align with it.
Key Principles of the Act
The DPA 2019 is grounded in several core principles that guide how personal data should be handled.
Lawfulness, fairness and transparency. Data must be collected in a way that is lawful, honest and transparent to the person providing it.
Purpose limitation. Data collected for one purpose cannot be used for unrelated activities without proper consent.
Data minimization. Organizations should only collect the data that is strictly necessary for their operations.
Accuracy. Businesses must ensure the data they hold is correct and kept up to date.
Storage limitation. Data should not be kept longer than necessary for the purpose it was collected.
Integrity and confidentiality. Organizations must secure data against unauthorized access or misuse.
These principles are the foundation for every compliance program in Kenya.
Rights of Data Subjects
The Act grants individuals, also known as data subjects, specific rights over their personal information. Businesses must respect and enable these rights.
- The right to be informed about how their data is used
- The right to access the personal data held about them
- The right to correction or deletion of inaccurate data
- The right to withdraw consent at any time
- The right to object to certain types of data processing
- The right to data portability, allowing transfer of data from one service provider to another
Failure to respect these rights can result in enforcement action from the Office of the Data Protection Commissioner (ODPC).
Obligations for Data Controllers and Processors
If your business determines how personal data is used, you are considered a data controller. If you process data on behalf of another business, you are a data processor. In either case, the law places direct obligations on you.
- You must register with the ODPC as a data controller or processor if you meet the thresholds set out in the law
- You must develop internal policies and procedures that reflect the requirements of the DPA 2019
- You must obtain clear and valid consent before collecting personal information
- You must implement appropriate security measures, including encryption, access controls and staff training
- You must report data breaches to the ODPC and affected individuals in a timely manner
Enforcement by the ODPC
The Office of the Data Protection Commissioner is the regulator responsible for enforcing the Act. The ODPC has broad powers, including the ability to conduct audits, issue compliance notices and impose penalties.
Penalties can reach up to five million shillings or one percent of annual turnover, whichever is lower. In addition to financial penalties, the ODPC can suspend processing activities or refer cases for criminal prosecution.
Recent enforcement actions in Kenya have already targeted banks, healthcare providers and educational platforms. This shows that the law is not theoretical. It is being actively applied.
Practical Steps for Compliance
Complying with the DPA 2019 requires a proactive approach. Businesses in Kenya should begin by:
- Conducting a data audit to understand what personal information is collected and why
- Registering with the ODPC where required
- Drafting or updating privacy policies and making them accessible to customers and staff
- Training employees on data protection and security practices
- Putting in place breach response plans to ensure quick and transparent action if an incident occurs
Conclusion
The Data Protection Act 2019 is not a barrier to business. It is an opportunity to strengthen trust with customers and partners. Companies that embrace compliance will not only avoid penalties but also gain a competitive edge in a marketplace where privacy and security are increasingly valued.
Consult us to align your business with DPA 2019 and safeguard your reputation