Tech Gazette Kenya
Home/Learning Center/Cybersecurity
Cybersecurity

The Data Protection Act, 2019: How Non-Compliance Can Sink Your Kenyan Business

July 6, 20264 min read
The Data Protection Act, 2019: How Non-Compliance Can Sink Your Kenyan Business

Kenya's Data Protection Act, 2019 was enacted to give effect to the constitutional right to privacy under Article 31 of the Constitution. It applies to any business, big or small, that collects, stores, or processes personal data belonging to Kenyans — which today means almost every business with a website, a customer database, an M-Pesa till, or an employee payroll.


Many founders treat data protection as a "big company problem." That assumption has become one of the most expensive mistakes a growing business can make.


What the Act actually requires


At its core, the Act requires any organization handling personal data (called a "data controller" or "data processor") to:


- Register with the Office of the Data Protection Commissioner (ODPC), unless specifically exempted.

- Collect data lawfully, fairly, and only for a clearly stated purpose — no quietly repurposing customer data for something else later.

- Collect only what's necessary (data minimization), rather than hoarding every field "just in case."

- Keep data accurate, secure, and no longer than necessary.

- Obtain valid consent before processing personal data in most cases, and make it just as easy to withdraw consent as it was to give it.

- Respect data subject rights — customers and employees can request access to their data, ask for corrections, object to processing, or request deletion.

- Notify the ODPC of a data breach within a short statutory window, and notify affected individuals without undue delay, when the breach is likely to cause harm.

- Get approval before transferring personal data outside Kenya, unless the receiving country has adequate data protection safeguards.


Why "not knowing" isn't a defense


A lot of Kenyan SMEs assume that because they're small, or because they've never had an incident, they're not really a target for enforcement. In practice, most cases the ODPC has acted on didn't start with a dramatic hack — they started with a customer complaint, a disgruntled former employee, or a leaked spreadsheet forwarded one too many times.


The real risk to a business isn't just the possibility of a regulatory fine (which the Act does provide for, alongside potential criminal penalties for serious violations — exact figures are set out in the Act and its regulations, so check the current ODPC guidance for precise amounts). The bigger risks are usually:


- Reputational damage: Kenyan consumers are increasingly aware of their data rights, and a public data breach spreads fast on social media.

- Loss of partnerships: Larger companies and international partners increasingly require proof of data protection compliance before signing contracts.

- Operational disruption: An ODPC enforcement notice can require a business to stop processing data entirely until it comes into compliance — which, for a data-driven business, can mean stopping operations.

- Civil liability: Affected individuals can pursue compensation directly, separate from any regulatory action.


Practical first steps for a small business


You don't need a full legal department to start taking this seriously. A reasonable starting point looks like:


1. Map your data: list every place customer or employee personal data lives — CRM, spreadsheets, WhatsApp groups, payment records.

2. Check your registration status with the ODPC and register if required.

3. Write a plain-language privacy policy that actually describes what you do with data — not a copy-pasted template.

4. Set up a basic consent flow wherever you collect personal data (signup forms, checkout, job applications).

5. Limit access internally — not every employee needs access to the full customer database.

6. Have a breach response plan before you need one — knowing who to call and what to do in the first 24 hours matters more than any policy document.


Data protection compliance in Kenya is no longer optional infrastructure — it's becoming as fundamental to running a business as having a bank account or a tax PIN. Businesses that treat it as a checkbox exercise now are the ones most likely to be caught flat-footed later.


This article is for general educational purposes and isn't legal advice — for specific compliance guidance, consult the Office of the Data Protection Commissioner or a qualified data protection lawyer.



Share this guide