Data Protection Act Kenya

Frequently Asked Questions (Quick FAQ’s) on data protection act 2019.

How well-acquainted are you with the Data Protection Act 2019 in Kenya? An Act of Parliament gave effect to Article 31(c) and (d) of the Constitution; to establish the Office of the Data Protection Commissioner; to make provision for the regulation of the processing of personal data; to provide for the rights of data subjects and obligations of data controllers and processors; and for connected purposes

Explore our #MeaningfulMonday #MondayNuggets with a quick FAQ session:

1. When did the Data Protection Act receive assent into law?

The Data Protection act Kenya – Date of Assent: 8th November, 2019.
Date of Commencement: 25th November, 2019

2. Which office did the Data Protection Act Kenya establish?

The Data Protection Act Kenya Established the Office of the Data Protection Commissioner commonly known as the ODPC Kenya) whose HQ is at Britam Tower, 12th & 13th Floor. Hospital Road, Upper Hill – Nairobi

3. Who currently holds the position of Data Commissioner in Kenya?

Data protection commissioner is Ms. Immaculate Kassait MBS, she is the current and Kenya’s first Data Commissioner. She was sworn in On 16th November 2020.

4. Data controller vs data processor. Do you classify as a Data Controller or a Data Processor?

You’re a controller if you determine the purpose and manner in which personal data is processed. You’re a processor if you process personal data on behalf of a data controller and you’re subject to their authority e.g. a payroll service provider.

5. Registration cost? What is the registration fee with the ODPC in Kenya?

The fees payable are between Kshs. 4,000/- to Kshs. 40,000/- with a renewal fee between Kshs. 2000/- and Kshs. 25,000/- after every 2 years.
To break it down further –
1. Micro and small private organization’s (less than 50 employees and annual of less than Kshs 5 million) Registration fee – Kshs 4,000 and renewal fee Kshs 2,000 after 2 years.
2. Medium-sized private organizations (51 – 99 employees and annual turnover of more than 5 million but less than 50 million)- Registration fee – Kshs 16,000 and renewal fee Kshs 9,000 after 2 years.
3. Large private organizations (more than 99 employees and an annual turnover of more than Ksh 50 million) – Registration fee – Kshs 40,000 and renewal fee Kshs 25,000 after 2 years.
4. Public entities – Registration fee – Kshs 4,000 and renewal fee Kshs 2,000 after 2 years.
5. Charitable and religious entities – Registration fee – Kshs 4,000 and renewal fee Kshs 2,000 after 2 years.

6. Within what timeframe should a data breach be reported to the ODPC?

The Data Protection Act mandates that data controllers, must report any data breaches to the ODPC within 72 hours of becoming aware of the incident

How can we help ?

We have been in the frontline working with different organizations in Africa on their Data Protection and Privacy compliance journey including Safaricom PLC , Siginon Group, KWFT an many more. Here are a number of things we can help you with:

  1. Data Protection Act Awareness Staff Training
  2. Gap Assessment’s to determine whether you are a Data Controller, Data Processor or both.
  3. Carry out Data Protection Impact Assessments and Data Protection Audits
  4. Registration with the office of the data protection commissioner – the ODPC.
  5. Data Protection Consultancy Services
  6. Data Protection Implementation Roadmap
  7. ISO 27701 Privacy Management Systems Standard implementation
  8. Join our Upcoming Certified Data Protection Officer Trainings, become a CDPO!

No comments yet


Hello, Thank you for contacting Sentinel Africa. How may i assist you?

× WhatsApp