New Regulations Guiding Data Protection in Kenya Come into Force

The much-awaited regulations for the implementation of the Data Protection Act, 2019,  which were gazetted in January, have been approved and are now in force.


The regulations are a set of three and comprise of:


  • the Data Protection (General) Regulations, 2021 (the General Regulations);
  • the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Registration Regulations); and
  • the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (the Complaints Regulations).

The DPA itself has been in force since 2019 and parties are expected to be compliant with it. 


These regulations cater for the procedural aspects of the DPA, and cover a wide spectrum from the transfer of personal data, to how data subjects’ rights should be provided for, what the thresholds and requirements are for the registration of data controllers and data processors, how complaints relating to infringements and contraventions of the DPA will be handled and how enforcement procedures will be undertaken.


With the regulations in place, businesses should have a greater understanding of what is required of them to ensure that they are compliant under the law. At the same time, they can expect heightened scrutiny by the Office of the Data Protection Commissioner (ODPC) which is expected to be checking on data protection compliance; necessitating businesses to rethink their operating models, particularly those that are reliant on the processing of personal data such as those in e-commerce, financial services, hospitality and the health sector.


Below,  are the pertinent provisions of the regulations.


1. The General Regulations


  • The General Regulations provide for the various instances which trigger obligations for data controllers and data processors to data subjects what the lawful bases for collection and processing of personal data are;
  • how personal data should be collected and when processing may be restricted;
  • how data access requests should be made;
  • when and how personal data should be rectified; and
  • when and how data subjects can request for the erasure of their personal data.

Additionally, the General Regulations provide for restrictions on the use of personal data for commercial purposes, a data controller or processor is considered to use personal data for commercial purposes where commercial or economic interests are sought after, primarily through direct marketing.


Furthermore, the General Regulations outline the obligations of data controllers and processors in various instances such as:


  • retention of personal data;
  • sharing of personal data;
  • engagement of third parties by data processors;
  • requirement for processing of personal data for strategic state interests;
  • notification of personal data breaches; and

transfer of personal data outside Kenya. as well as provide for exemptions under the DPA, which include data processing in relation to national security and public interest.


2. The Registration Regulations


The Registration Regulations operationalise the requirement for data processors and data controllers to register with the ODPC, and are set to come into force 6 months from the date of publication, which the ODPC says is in July 2022. Registration is meant to take place online on the ODPC’s website.


3. The Complaints Regulations


The Complaints Regulations primarily deals with the procedure for lodging a complaint with the ODPC. Generally, a data subject has the option of either lodging a complaint orally, through electronic channels of communication or by any other appropriate means, or in person.


Additionally, the Complaints Regulations provide for the issuance of enforcement and penalty notices, as contemplated under the DPA.


The regulations add to the previously issued Guidance Notes on Data Protection Impact Assessments, Consent and the ODPC’s Complaints Management Manual in providing much-needed clarity with respect to the obligations of data controllers and data processors.


Over the course of the next few days, we will be sharing a comprehensive analysis of the data protection regulations, the guidance notes, as well as the complaints management manual, and their impact on doing business in Kenya in a 6-part series. 




Read the article at Anjarwalla & Khanna.

Subscribe to our newsletter