New Regulations Guiding Data Protection in Kenya Come into Force

Kenya Data Protection Legislation ICT
16/02/2022

The much-awaited regulations for the implementation of the Data Protection Act, 2019,  which were gazetted in January, have been approved and are now in force.

 


The regulations are a set of three and comprise of:

 

  • the Data Protection (General) Regulations, 2021 (the General Regulations);
  • the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Registration Regulations); and
  • the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (the Complaints Regulations).

The DPA itself has been in force since 2019 and parties are expected to be compliant with it. 

 

These regulations cater for the procedural aspects of the DPA, and cover a wide spectrum from the transfer of personal data, to how data subjects’ rights should be provided for, what the thresholds and requirements are for the registration of data controllers and data processors, how complaints relating to infringements and contraventions of the DPA will be handled and how enforcement procedures will be undertaken.

 

With the regulations in place, businesses should have a greater understanding of what is required of them to ensure that they are compliant under the law. At the same time, they can expect heightened scrutiny by the Office of the Data Protection Commissioner (ODPC) which is expected to be checking on data protection compliance; necessitating businesses to rethink their operating models, particularly those that are reliant on the processing of personal data such as those in e-commerce, financial services, hospitality and the health sector.

 

Below,  are the pertinent provisions of the regulations.

 

1. The General Regulations

 

  • The General Regulations provide for the various instances which trigger obligations for data controllers and data processors to data subjects what the lawful bases for collection and processing of personal data are;
  • how personal data should be collected and when processing may be restricted;
  • how data access requests should be made;
  • when and how personal data should be rectified; and
  • when and how data subjects can request for the erasure of their personal data.

Additionally, the General Regulations provide for restrictions on the use of personal data for commercial purposes, a data controller or processor is considered to use personal data for commercial purposes where commercial or economic interests are sought after, primarily through direct marketing.

 

Furthermore, the General Regulations outline the obligations of data controllers and processors in various instances such as:

 

  • retention of personal data;
  • sharing of personal data;
  • engagement of third parties by data processors;
  • requirement for processing of personal data for strategic state interests;
  • notification of personal data breaches; and

transfer of personal data outside Kenya. as well as provide for exemptions under the DPA, which include data processing in relation to national security and public interest.

 

2. The Registration Regulations

 

The Registration Regulations operationalise the requirement for data processors and data controllers to register with the ODPC, and are set to come into force 6 months from the date of publication, which the ODPC says is in July 2022. Registration is meant to take place online on the ODPC’s website.

 

3. The Complaints Regulations

 

The Complaints Regulations primarily deals with the procedure for lodging a complaint with the ODPC. Generally, a data subject has the option of either lodging a complaint orally, through electronic channels of communication or by any other appropriate means, or in person.

 

Additionally, the Complaints Regulations provide for the issuance of enforcement and penalty notices, as contemplated under the DPA.

 

The regulations add to the previously issued Guidance Notes on Data Protection Impact Assessments, Consent and the ODPC’s Complaints Management Manual in providing much-needed clarity with respect to the obligations of data controllers and data processors.

 

Over the course of the next few days, we will be sharing a comprehensive analysis of the data protection regulations, the guidance notes, as well as the complaints management manual, and their impact on doing business in Kenya in a 6-part series. 

 

 

--

Read the article at Anjarwalla & Khanna.

Related posts

Kenya Energy and natural resources Nuclear power

Kenya publishes plans for first nuclear power plant

A recently unveiled strategic plan provides a roadmap for the establishment of Kenya’s first nuclear power plant with aims of bolstering the country’s energy capacity while reducing CO2 emissions, an expert has said. The plan follows the successful introduction of Kenya’s..

Read More
Competition/Antitrust Legislation Lesotho

Lesotho's Competition Act, 2022: On the Verge of Implementation

The publication of the Competition Act, 2022 marked a significant milestone in Lesotho's economic landscape. Previously, the Kingdom of Lesotho relied on common law principles to address instances of unfair competition, resulting in inadequate enforcement against anti-com..

Read More
Mozambique Legislation Foreign investment and international trade

Unlocking opportunities: Mozambique’s new Investment Law and Regulations

As one of Africa's emerging economies, Mozambique offers abundant opportunities for domestic and foreign investors alike. In a bid to enhance a conducive environment for investment to continue fostering economic growth and development, Mozambique recently has updated its ..

Read More
Subscribe to our newsletter