Compliance with the Data Protection Act

With the Data Protection Rules coming into force and the registration date for data Protection officers taking effect from 14th July 2022, there is a need for all companies to comply with the Data Protection Act 2019 or risk getting penalized by the regulator.

What do companies need to do?

  1. Conduct data protection training for all persons in your Organisation.

These bring the staff and all persons in the organization up to speed on all matters in relation to data collection, data handling, and data protection.

  • Come up with data protection policies within the Organisation.

These policies assist in outlining the culture of the institution vis-à-vis data collection, data handling, retention of data, consequences of data breaches e.t.c.

  • Appoint data protection officers

These are the officers that assist the company with compliance with the Data Protection Act and the regulations.

  • Carry out data protection impact assessments

Companies collecting data, particularly personal and sensitive data, must conduct data protection impact assessments to assess the risk of companies in relation to the data they collect and/or handle.

  • Put in place data breach management strategies

The Data Protection Act provides for protection by design and protection by default. These two mechanisms are what companies have to consider when coming up with data breach management strategies. They need to create strategies that are full proof against breaches of data.

  • Register with the ODPC.

As stipulated in the law, the companies who are data controllers and data processors are supposed to register with the regulator and get registration certificates.

In this regard, sectors that need to be alert to the mandatory registration requirements include security/crime prevention, educational institutions, provision of patient health care, telecommunications network or service providers, transport services firms (including online passenger hailing applications), and hospitality.

Data controllers or processors with an annual turnover (i.e., applicable to non-profit entities)/revenue (i.e., applicable to profit-making entities) below Five Million Kenya Shillings for the year immediately preceding registration, and less than 10 employees are exempted from registration.

What consequences do companies face for non-compliance?

The Registration of Data Controllers and Data Processors Regulations create offenses where companies: processes personal data without registering in accordance with these Regulations; Provides false or misleading information for the purpose of registration, and fails to renew the certificate of registration upon expiry. These offenses raise penalties of a fine of up to Kenya shillings Three Million (Kshs.3,000,000) and imprisonment term of up to Ten(10) years, or both.  

For more information on compliance with the Data Protection Act reach out to us at or 0746782724

Leave a Comment

Your email address will not be published. Required fields are marked *