The Kenya Data Protection Act, 2019 (DPA 2019) is Kenya's principal data protection legislation, establishing a comprehensive framework for the protection of personal data. Enacted on 8 November 2019, the DPA 2019 created the Office of the Data Protection Commissioner (ODPC) as the independent supervisory authority responsible for enforcing data protection obligations across all sectors. Penalties for non-compliance can reach up to KES 5 million or 1% of annual turnover for data controllers, and KES 3 million or 0.5% of annual turnover for data processors. This guide provides a structured compliance framework for organisations operating in Kenya. For a platform that centralises DPA compliance alongside other governance requirements, see GRC software for Kenyan organisations.

What Is Kenya's Data Protection Act?

The Data Protection Act, 2019 (Act No. 24 of 2019) is Kenya's first comprehensive data protection law. It was enacted to give effect to Article 31(c) and (d) of the Constitution of Kenya, 2010, which guarantees every person the right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed, and not to have the privacy of their communications infringed.

The Act is administered by the Office of the Data Protection Commissioner (ODPC), established under Section 5 of the Act. The Data Protection Commissioner is appointed by the President on the recommendation of the Cabinet Secretary and has the power to register data controllers and processors, receive and investigate complaints, conduct data protection audits, issue enforcement notices, and impose administrative penalties.

Key definitions under the Kenya DPA 2019:

  • Personal data: Any information relating to an identified or identifiable natural person, including name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person (Section 2)
  • Sensitive personal data: Data revealing race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details (including names of children), sex, or sexual orientation (Section 2)
  • Data controller: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of processing personal data (Section 2)
  • Data processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of a data controller (Section 2)
  • Data subject: An identified or identifiable natural person who is the subject of personal data
i

Registration with the ODPC Is Mandatory

Under Section 18 of the DPA, every data controller and data processor must register with the ODPC before commencing any processing of personal data. The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 prescribe the registration process, fees, and renewal requirements. Operating without registration is an offence under the Act.

Who Must Comply?

The Kenya DPA 2019 applies to the processing of personal data by a data controller or data processor who is established or ordinarily resident in Kenya, or who is not established in Kenya but processes personal data of data subjects located in Kenya (Section 3). This provides the Act with extraterritorial reach.

The Act applies to:

  • Private sector organisations — companies, partnerships, sole traders, and other business entities
  • Public sector bodies — government ministries, departments, agencies, county governments, and state corporations
  • Non-profit organisations — NGOs, community-based organisations, religious organisations
  • Professional practices — law firms, accounting firms, medical practitioners, consultancies
  • Foreign organisations — entities outside Kenya that process personal data of Kenyan data subjects

Exemptions are limited. Processing for personal or household activities, processing necessary for national security (subject to approval by the Commissioner), and processing by a competent authority for the prevention, investigation, or detection of crime are exempt from certain provisions, but not from the core principles.

Key Provisions

The Kenya DPA 2019 establishes comprehensive obligations for data controllers and processors. Below are the principal provisions.

Principles of Data Processing (Section 25)

All processing of personal data must comply with the following principles:

  • Lawfulness, fairness, and transparency — Processing must be lawful, fair, and transparent to the data subject
  • Purpose limitation — Data must be collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes
  • Data minimisation — Data collected must be adequate, relevant, and limited to what is necessary
  • Accuracy — Data must be accurate and, where necessary, kept up to date
  • Storage limitation — Data must not be kept longer than necessary for the purposes for which it is processed
  • Integrity and confidentiality — Data must be processed in a manner that ensures appropriate security

Lawful Basis for Processing (Section 30)

Processing of personal data is lawful only if at least one of the following applies:

  • The data subject has given consent
  • Processing is necessary for the performance of a contract
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary to protect the vital interests of the data subject
  • Processing is necessary for the performance of a task carried out in the public interest
  • Processing is necessary for a legitimate interest of the controller or a third party

Data Subject Rights (Part IV)

The Kenya DPA grants data subjects the following rights:

  • Right to be informed of the collection and use of their personal data (Section 26)
  • Right of access to their personal data held by the controller (Section 26(b))
  • Right to object to the processing of their personal data (Section 26(c))
  • Right to correction of false or misleading data (Section 26(d))
  • Right to deletion of false or misleading data (Section 26(e))
  • Right to data portability — the right to receive personal data in a structured, commonly used format (Section 35)

Cross-Border Transfers (Section 48)

Personal data may only be transferred outside Kenya if the recipient country or territory has adequate data protection safeguards, or if appropriate safeguards are in place. The Commissioner has the power to determine which countries provide an adequate level of protection. Where adequacy has not been determined, transfers require the data subject's consent, or must be necessary for the performance of a contract, or subject to appropriate safeguards approved by the Commissioner.

!

DPIA Is Mandatory for High-Risk Processing

Section 31 of the Kenya DPA requires data controllers to carry out a data protection impact assessment (DPIA) before processing that is likely to result in a high risk to the rights and freedoms of data subjects. This includes large-scale processing of sensitive personal data, systematic monitoring of publicly accessible areas, and automated decision-making including profiling. Failure to conduct a DPIA where required is a compliance gap that the ODPC can investigate.

Compliance Checklist

Use this structured checklist to assess and track your organisation's compliance with the Kenya DPA 2019.

Governance & Registration

  • Register as a data controller or data processor with the ODPC (Section 18)
  • Pay the prescribed registration fee and renew registration as required
  • Designate a data protection officer or responsible person within the organisation
  • Develop and publish a data protection policy aligned with the DPA 2019
  • Establish a data governance structure with clear roles and reporting lines
  • Maintain records of processing activities

Lawful Processing & Consent

  • Identify and document the lawful basis for every processing activity (Section 30)
  • Where consent is relied upon, ensure it is freely given, specific, informed, and unambiguous
  • Implement mechanisms for data subjects to withdraw consent at any time
  • Maintain consent records with timestamps and details of what the data subject was told
  • Ensure sensitive personal data is processed only on the grounds specified in Section 32

Transparency & Data Subject Notification

  • Draft and publish a privacy notice that complies with Section 25 requirements
  • Provide the privacy notice at or before the point of data collection
  • Clearly state the purpose of processing, categories of data collected, retention periods, data subject rights, and details of cross-border transfers
  • Review all data collection points — forms, apps, websites, contracts — for compliance

Security Safeguards

  • Implement appropriate technical and organisational measures to protect personal data (Section 41)
  • Conduct risk assessments to identify threats to the security of personal data
  • Deploy encryption, access controls, pseudonymisation, and intrusion detection as appropriate
  • Regularly test and verify the effectiveness of security measures
  • Ensure data processors have adequate security measures through binding agreements (Section 42)

Data Subject Rights

  • Establish processes to receive, verify, and respond to data subject access requests
  • Establish processes for correction, deletion, objection, and portability requests
  • Define response timelines consistent with the Act's requirements
  • Train staff on how to identify and escalate data subject requests

Data Protection Impact Assessments

  • Identify all processing activities that are likely to result in high risk to data subjects
  • Conduct DPIAs before commencing high-risk processing (Section 31)
  • Consult the ODPC where the DPIA indicates high residual risk that cannot be mitigated
  • Review and update DPIAs annually or whenever processing activities change

Breach Response

  • Develop a documented data breach response procedure
  • Notify the ODPC of data breaches within 72 hours of becoming aware (Section 43)
  • Notify affected data subjects where the breach is likely to result in high risk
  • Maintain a breach register recording all incidents
  • Conduct regular breach response exercises

Cross-Border Transfers

  • Identify all cross-border transfers of personal data
  • Verify that the receiving country has adequate data protection (Section 48)
  • Where adequacy is not established, implement appropriate safeguards or obtain consent
  • Document the lawful basis for each cross-border transfer
  • Include transfer provisions in data processing agreements

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a process designed to systematically analyse and minimise the data protection risks of a processing activity. Under Section 31 of the Kenya DPA, a DPIA is mandatory before processing that is likely to result in a high risk to the rights and freedoms of data subjects.

High-risk processing includes, but is not limited to:

  • Large-scale processing of sensitive personal data
  • Systematic and extensive profiling with significant effects on data subjects
  • Systematic monitoring of publicly accessible areas
  • Processing that involves new technologies or novel application of existing technologies
  • Processing that may result in discrimination or other significant social effects

A DPIA must describe the processing operations and their purposes, assess the necessity and proportionality of the processing, identify the risks to data subjects, and set out the measures to address those risks. Where the DPIA indicates that the processing would result in a high risk that cannot be adequately mitigated, the data controller must consult the ODPC before proceeding.

ODPC Enforcement & Penalties

The ODPC has broad enforcement powers under the Kenya DPA. Penalties are structured to differentiate between data controllers and data processors:

Violation Penalty
Non-compliance by a data controller Up to KES 5 million or 1% of annual turnover, whichever is lower
Non-compliance by a data processor Up to KES 3 million or 0.5% of annual turnover, whichever is lower
Failure to register with the ODPC Criminal offence — fine not exceeding KES 3 million or imprisonment not exceeding 10 years, or both
Obstruction of the Commissioner Fine or imprisonment
Knowingly or recklessly obtaining personal data without consent Criminal offence — fine or imprisonment up to 3 years

The ODPC can also:

  • Issue enforcement notices requiring specific remedial actions
  • Issue penalty notices for administrative fines
  • Conduct data protection audits of any data controller or processor
  • Order the suspension or restriction of data processing activities
  • Refer matters for criminal prosecution
!

Criminal Penalties Apply

Unlike some data protection laws that are purely administrative, the Kenya DPA includes criminal penalties for certain offences — including failure to register, unlawful data processing, and obstruction of the Commissioner. This means individuals within organisations can face personal criminal liability, not just the organisation itself.

Kenya DPA vs GDPR

Kenyan organisations that operate internationally or serve EU customers often need to comply with both the Kenya DPA and GDPR. While the Kenya DPA draws on GDPR principles, there are notable differences.

Area Kenya DPA 2019 GDPR
Scope Natural persons whose data is processed in Kenya Natural persons in the EU/EEA
Regulator Office of the Data Protection Commissioner (ODPC) National Data Protection Authorities
Registration requirement Mandatory registration of controllers and processors with the ODPC No registration requirement (record-keeping obligation instead)
Lawful grounds for processing 6 grounds under Section 30 6 grounds under Article 6
DPIA requirement Mandatory for high-risk processing (Section 31) Mandatory for high-risk processing (Article 35)
Breach notification timeline 72 hours to the ODPC (Section 43) 72 hours to the supervisory authority (Article 33)
Data portability Explicitly provided under Section 35 Explicitly provided under Article 20
Maximum administrative fine KES 5 million or 1% of annual turnover (controllers) EUR 20 million or 4% of global annual turnover
Criminal penalties Yes — imprisonment up to 10 years for certain offences Generally no (left to member states)
Cross-border transfer mechanism Adequacy determination by Commissioner, consent, or contractual necessity Adequacy decisions, SCCs, BCRs (Chapter V)

Organisations subject to both laws should map their controls to both frameworks. Using Dimeri, a single security control can be mapped to both Kenya DPA and GDPR requirements — tested once and credited to both, eliminating duplicate compliance effort.

Ongoing Compliance

Compliance with the Kenya DPA is an ongoing obligation, not a one-time project. Here is how to maintain sustainable compliance:

1. Integrate DPA Obligations into Your Risk Register

Treat every DPA obligation as a compliance risk with a named owner, deadline, mapped controls, and attached evidence. This ensures data protection compliance is monitored alongside all other organisational risks.

2. Renew ODPC Registration

Registration with the ODPC is not permanent. Monitor renewal deadlines and ensure registration remains current. Lapsed registration is a compliance gap and a criminal offence.

3. Conduct Annual DPIAs

Review existing DPIAs annually and conduct new assessments for any new processing activity likely to result in high risk. Changes in technology, data volumes, or processing purposes should trigger a DPIA review.

4. Train Staff Continuously

Regular data protection training — at onboarding and annually thereafter — ensures staff understand their obligations, can recognise data subject requests, and know how to report a breach.

5. Use Technology to Automate Tracking

Manual compliance tracking does not scale. A compliance management platform like Dimeri links every DPA obligation to its controls, evidence, and owner — providing a live compliance dashboard and audit-ready reports on demand.

Key Takeaways

  • The Kenya DPA 2019 is Kenya's first comprehensive data protection law, giving effect to the constitutional right to privacy under Article 31
  • Registration with the ODPC is mandatory for all data controllers and processors — failure to register is a criminal offence
  • Six lawful bases for processing are established under Section 30, broadly aligned with the GDPR
  • DPIAs are mandatory for high-risk processing, with consultation of the ODPC required where high residual risk remains
  • Breach notification must be made within 72 hours to the ODPC
  • Penalties include both administrative fines (up to KES 5 million/1% turnover) and criminal sanctions (up to 10 years imprisonment)
  • Cross-border transfers require adequacy assessment or appropriate safeguards approved by the Commissioner
  • Continuous compliance — supported by risk registers, DPIA reviews, ODPC registration renewal, and automated tracking — is essential

Frequently Asked Questions

Do I need to register with the ODPC before processing any personal data in Kenya?

Yes. Section 18 of the Kenya DPA requires every data controller and data processor to register with the ODPC before commencing processing of personal data. The registration process is prescribed by the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. Operating without registration is a criminal offence that carries penalties including imprisonment. Registration must also be renewed as required by the regulations.

What is the penalty for a data breach in Kenya?

The penalty for non-compliance by a data controller can be up to KES 5 million or 1% of annual turnover, whichever is lower. For data processors, the penalty can be up to KES 3 million or 0.5% of annual turnover. Additionally, failure to notify the ODPC of a breach within 72 hours is a separate compliance failure. The ODPC can also issue enforcement notices, order the suspension of processing, and refer matters for criminal prosecution. Individuals who knowingly or recklessly process data unlawfully may face personal criminal liability.

Does the Kenya DPA apply to foreign organisations?

Yes. The Kenya DPA applies to data controllers and processors not established in Kenya if they process personal data of data subjects who are located in Kenya, where the processing relates to offering goods or services to data subjects in Kenya or monitoring their behaviour. This extraterritorial scope means international organisations with Kenyan customers or users must comply with the Act and register with the ODPC.

When is a DPIA required under the Kenya DPA?

A DPIA is required under Section 31 of the Kenya DPA before any processing that is likely to result in a high risk to the rights and freedoms of data subjects. This includes large-scale processing of sensitive personal data, systematic and extensive profiling, systematic monitoring of publicly accessible areas, and processing involving new technologies. Where the DPIA indicates that the processing would result in a high risk that cannot be adequately mitigated, the controller must consult the ODPC before proceeding.

How does the Kenya DPA interact with sector-specific regulations?

The Kenya DPA 2019 is a cross-sectoral law that applies alongside existing sector-specific regulations. For example, financial institutions must comply with both the DPA and the requirements of the Central Bank of Kenya, while healthcare providers must comply with both the DPA and the Health Act. The DPA does not override sector-specific legislation but adds a layer of data protection obligations. Organisations should map their DPA obligations alongside sector-specific requirements in a unified compliance register to ensure complete coverage.