Data Protection: Compliance Requirement and Roadmap
Author : Masara Gecheo
- [email protected]
- Rachier & Amollo LLP, Mayfair Center 5th Floor
Data Protection: Compliance Requirement and Roadmap
Masara Gecheo
Article Overview
This insight sets out a practical compliance guide for organisations processing personal data under Kenya’s Data Protection Act, 2019. It explains the ODPC registration requirement under Section 18, including who must register based on staffing and revenue thresholds, and the additional category of 19 high-risk industries that must register regardless of size.
The article then proposes a clear two-phase compliance roadmap: first, a gap assessment to map current practices against the law; second, implementation covering registration, appointment of a Data Protection Officer, policy documentation, contract reviews, and staff training. It also highlights the financial and operational consequences of non-compliance, including penalties and potential licensing impacts.
Key takeaways
- Registration is mandatory: all entities and individuals processing personal data must register with the ODPC under the DPA and the 2021 Registration Regulations (operational from 14 July 2022).
- Threshold test: entities with 10+ employees or annual revenue above KES 5,000,000, or both, must register.
- High-risk sectors: ODPC designates 19 high-risk industries that must register regardless of staff or turnover (including credit bureaus, private security/CCTV, debt administration and factoring, betting, education, health, hospitality, insurance, faith-based institutions, property management and land sales, telecoms, direct marketing, internet access, transport, public sector bodies, and genetic data processing).
- Roadmap Phase 1 (Gap Assessment): review existing privacy frameworks, data flows, third-party sharing risk, and current documentation, supported by targeted interviews, producing a Gap Assessment Report.
- Roadmap Phase 2 (Implementation): deliver a prioritised implementation plan, conduct validation meetings, present to management, complete registration, appoint a DPO, develop policies and procedures, update contracts/agreements, and roll out staff training.
- Deliverables (as outlined): Gap Assessment Report, prioritised implementation roadmap, registration certificates, privacy policies and procedures, revised agreements, and bespoke staff training sessions.
- Non-compliance consequences: penalties up to KES 5,000,000 or 1% of annual turnover, and possible denial of operating licences for failure to meet registration requirements.