Understanding Data Protection Impact Assessments (DPIA) under the Kenya Data Protection Act

Section 31 of the Data Protection Act of Kenya mandates the performance of Data Protection Impact Assessments (DPIAs) when there is a potential “high risk to the rights and freedoms of data subjects” arising from data processing activities. DPIAs serve as a critical tool to identify and mitigate risks associated with the processing of personal data, ensuring compliance with data protection regulations.

What is a DPIA?

A DPIA is a systematic process designed to identify and assess the risks associated with processing personal data. Its primary objective is to minimize these risks as early as possible, ensuring that individuals retain control over their data. While a DPIA may not completely eliminate risks, it helps organizations identify, manage, and mitigate them effectively.

A DPIA encompasses several essential elements, including:

  1. Systematic Description of Processing Operations and Purposes:
    DPIAs involve a detailed description of the processing operations and their intended purposes, including the legitimate interests pursued by the data controller or processor.
  2. Assessment of Necessity and Proportionality:
    An evaluation of the necessity and proportionality of the processing operations in relation to their intended purposes is conducted to ensure compliance with data protection principles.
  3. Identification of Risks to Data Subjects’ Rights and Freedoms:
    DPIAs assess the potential risks posed to the rights and freedoms of data subjects resulting from the processing activities, considering factors such as data sensitivity and potential impacts.
  4. Measures to Address Risks and Safeguards:
    DPIAs outline the measures envisaged to address identified risks, including safeguards, security measures, and mechanisms to protect personal data. These measures demonstrate compliance with data protection regulations and prioritize the rights and legitimate interests of data subjects.

Under the Data Protection Act, DPIAs must be submitted at least 60 days before the commencement of proposed processing activities. While DPIAs may not eliminate all risks, they facilitate the identification and management of potential privacy concerns, promoting accountability and transparency in data processing practices.

When is a DPIA Required?

According to Section 31 of the Data Protection Act, a DPIA is mandatory in cases where a processing operation is likely to result in a high risk to the rights and freedoms of data subjects. In order to provide a more concrete set of processing operations that require a DPIA due to their inherent high risk, taking into account the particular elements of Section 31(1) and other provisions of the Act, the following eight criteria should be considered.

Criteria for DPIA:

  1. Automated Decision-Making: Processing that significantly affects individuals’ legal rights or produces legal effects concerning them.
  2. Systematic Monitoring: Observing, monitoring, or controlling data subjects through surveillance or network data collection.
  3. Sensitive Personal Data: Processing special categories of personal data that pose increased risks to individuals’ rights and freedoms.
  4. Large-Scale Processing: Processing a large volume or range of data items over an extended duration or geographical area.
  5. Matching or Combining Datasets: Integrating data from multiple sources in a way that exceeds data subjects’ reasonable expectations.
  6. Vulnerable Data Subjects: Processing data of individuals who may face challenges in exercising their rights, such as children, employees, or vulnerable populations.
  7. Innovative Technology Use: Employing new technological solutions with potential impacts on individuals’ privacy and rights.
  8. Preventing Rights Exercise: Processing operations that hinder individuals from exercising their rights, such as access to services or contracts.

It is essential to recognize the specific processing operations that warrant a DPIA. Criteria such as provided above may trigger the need for a DPIA. However, even in cases where DPIAs are not mandatory, conducting them proactively can help mitigate risks and ensure compliance with data protection laws.

Data controllers and processors have a responsibility to implement appropriate technical and organizational measures to manage risks effectively and protect the rights of data subjects. By conducting DPIAs and integrating privacy considerations into their operations, organizations can uphold data protection principles and safeguard individuals’ privacy rights in an evolving digital landscape.


In conclusion, DPIAs play a critical role in ensuring that data processing activities are conducted responsibly and ethically. By identifying and addressing potential risks early on, organizations can uphold individuals’ privacy rights and comply with legal obligations. Embracing DPIAs as part of data governance practices demonstrates a commitment to data protection and accountability in today’s data-driven world.

At Sentiel Africa we will be glad to help you through the Data Protection and Privacy compliance journey; reach out to us – [email protected]

See and Download below the entire GUIDANCE NOTE ON DATA PROTECTION IMPACT ASSESSMENT by the Office of the Data Protection Commissioner

No comments yet


Hello, Thank you for contacting Sentinel Africa. How may i assist you?

× WhatsApp