top of page
Writer's pictureJoseph Mwine

DATA PROTECTION SERVICES IN KENYA

Updated: Apr 25, 2024

What is Data Protection?

Data protection is the process of safeguarding important information from corruption, compromise or loss. Companies are obligated to safeguard personal data of their employees, clients and third parties from potential compromise.


What is Data and what kind of Data needs to be protected?


The Data Protection Act describes data as information which—

·      is processed by means of equipment operating automatically in response to instructions given for that purpose;

·      is recorded with intention that it should be processed by means of such equipment;

·      is recorded as part of a relevant filing system;

·      forms part of an accessible record; or

·      is recorded information which is held by a public entity and does not fall within any of paragraphs (a) to (d).


What does the current law say on Data Protection in Kenya?


The current law (The Data Protection Act, Cap 411C) among other things provides for the establishment the Office of the Data Protection Commissioner; makes provision for the regulation of the processing of personal data; provides for the rights of data subjects and obligations of data controllers and processors.


Who is affected by this law?


Data controllers - natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data;

Data Processors - natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;

Data controllers and processors need to register with the Office of the Data Protection Commissioner (ODPC).  Only registered persons can process personal data in Kenya unless they’re exempt.


So what is data processing?


This is any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as;

·      collection, recording, organisation, structuring;

·      storage, adaptation or alteration;

·      retrieval, consultation or use;

·      disclosure by transmission, dissemination, or otherwise making available; or

·      alignment or combination, restriction, erasure or destruction.


What then amounts to personal data?


Personal data is any information relating to an identified or identifiable natural person. It could be general personal data like; Names, Physical addresses, Email Addresses, ID/Passport details, or sensitive personal data like race/ethnicity, political/religious beliefs, biometric data, health information, sexual relationships/orientation.

Most of this data is collected knowingly or unknowingly during the daily operations of the company by officers ranging from the security guards to top-management as well as specialised departments like Human Resource.


Who needs to register and who is exempt?


All individuals and companies based within and outside Kenya must register with the ODPC if they are processing personal data of data subjects in Kenya. These may include but are not limited to the following;

  • public sector bodies (including electoral campaigns) 

  • credit bureaus

  • crime prevention and prosecution of offenders (including operating security CCTV systems)

  • betting and gaming platforms

  • education

  • health care

  • hospitality services

  • faith-based or religious institutions

  • property (management and sale)

  • financial services, including insurance and retirement fund

  • telecommunication and internet service providers

  • businesses that depend on direct marketing

  • internet access 

  • transport services (including online passenger hailing applications)

  • businesses that process genetic data

 

However one is exempt if they;

·      Had an annual turnover of less than KES 5,000,000 (Five Million Kenya Shillings) in the previous financial year, or

·      Employ less than 10 people.

 

Data Governance and the Data Protection Officer


Data Governance is everything you do to ensure data is secure, private, accurate, available, and usable, this is usually done or overseen by a Data Protection Officer.


A Data Protection Officer (DPO) is an individual or entity which ensures that an organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection laws, rules and regulations.


A DPO may be a staff member and may fulfil other tasks and duties provided that any such tasks and duties do not result in a conflict of interest; it could also be company or professional not employed by the company. A person may be designated as a DPO, if that person has relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection.


The need for a DPO and Data Protection Compliance


The recent years have seen different companies, both local and international slapped with steep fines for failing to observe data privacy rights as well as not complying with the provisions of the Data Protection Act.


Poor or inexistent data protection policies will always expose a company to breach and consequent hefty fines imposed by the ODPC.

 

Our team of lawyers and off-site IT specialists have received training and qualifications in Data Protection. Kindly do contact LKK Law LLP at info@lkklawllp.com for more information or assistance with Data Protection Compliance.




Joseph Mwine

bottom of page