Why Registration Matters
Kenya’s Data Protection Act requires any entity handling personal data of Kenyan residents even subsidiaries of foreign companies to register with the ODPC. Many companies assume compliance is automatic if they follow global standards like GDPR. This is a mistake. Local adaptation is essential.
The 5-Step Checklist for Foreign Subsidiaries
- Data Mapping
Understand what categories of personal data you will collect in Kenya (customer, employee, vendor). Identify sensitive categories, such as health or financial data. - ODPC Registration
Determine whether your entity qualifies as a controller, processor, or both. File registration forms and pay fees before commencing processing. - Policy Localization
Adapt global policies to Kenyan requirements. Key differences include consent provisions, children’s data protection, and data subject rights timelines. - Cross-Border Transfers
If you intend to transfer data outside Kenya, assess mechanisms like contractual clauses or adequacy decisions. The ODPC closely monitors cross-border flows. - Incident Response
Prepare a breach response plan. Kenyan law requires notification to the ODPC and affected individuals within 72 hours.
Practical Takeaways
- Do not assume GDPR compliance equals Kenyan compliance.
- Registration with ODPC is mandatory before processing begins.
- Tailor policies and contracts to Kenyan law.
- Establish clear incident response procedures.
Conclusion
For foreign subsidiaries, compliance is not a “later” task. It is part of the market entry strategy. A well-prepared compliance plan ensures smoother operations and builds trust with both regulators and consumers.