Kenya as a country, has faced commercial and political exploitation of personal data. Citizens have been subjected to texts that contain campaign messages and rallying calls from electoral candidates and political parties, subscription texts are often received without the person having subscribed to receiving such texts, texts have been used to market products and then there is the incessant cold calls by marketers who may have collected your phone number from unknown sources.

Unfortunately, before this law, personal data collected was a trade commodity with no regard to the consent of the owner of the data. This was not an offence in law as Kenya had no legislation protecting its citizens from the exploitation of personal data.

The rapid technological advancements going on globally affect government, business, and the socio-economic fabric of our modern society. Data is the abundant resource that is fueling these advancements and to be more specific personal data. It is, therefore, imperative that the manner in which personal data is collected, processed, and stored is given the legislative significance it deserves.

This was the rallying call behind the assent of the Data Protection Act 2019 on the 8th of November 2019 by His Excellency President Uhuru Kenyatta.

It is imperative to state that compliance with this Act will significantly affect how each organization deals with data, from the security guard who collects personal data while entering a building, the nurse who takes a patient’s information in the triage to tech companies that process digital data through apps and websites. It affects all organizations regardless of the size of employees.

The main purpose of the Data Protection Act 2019, as described in section 3 of the Act, is to regulate the processing of personal data in order to protect individuals by establishing legal and institutional mechanisms to protect data.


Data has been defined as any information which is collected, recorded, organized, stored, or disseminated manually or by automation. Data is information collected from any human being or what the act has defined as a “data subject”. This includes but is not limited to a person’s name, location, gender, marital status, age, contact details, health information, Identity number, social/cultural/economical identity, biometric information etc.

Simply, any information that identifies a person, or you the reader of this article, in any way is considered as protected and personal data under the Act.

The Act establishes the office of the Data Protection Commissioner, whose main role is to oversee the implementation and enforcement of this Act, which includes maintaining a register of data controllers and data processors and oversee that data is treated in line with the Data Protection Act.


To validly answer this question, there is a need to understand who is a Data Controller and who is a Data Processor.

A Data Processor is any person, company or public body that processes(i.e. collects, record, organizes, disseminates etc.) any personal data on behalf of a Data Controller. A data processor may be an agent of the Data Controller.

A Data controller on the other hand is any person, company or public body that determines the purpose and means of processing personal data that has been received by the Data Processor.

Sounds complex? Below are examples that contextualizes a data processor and a data controller.


A bank teller who takes details of a customer, potential or otherwise, is a data processor as they are collecting and recording information on behalf of the Bank. It is the Bank, as a data controller, that will determine what to do with that information, how to store it, and whether to disseminate it i.e. is the person eligible for a loan, are they eligible to open an account, should they report a transaction to Central Bank or the defaulting customer to CRB, etc.

In an organization, the Human Resource Department is the data processor in a company, as the HR collects information during the interviewing of potential employees, the employment period of the employee, the marital status, health status, age, tribe, gender, etc., and then hands over this information to the employer, who is the Data controller and uses this information for its purposes and to make relevant decisions.

Facebook, the social media app, is both a data controller and a data processor. As a data controller it processes information fed into it such as likes and dislikes, browsing patterns, pages visited, online preferences and habits etc. As a data Processor, facebook collects and analyses the data of its user and where consent is granted, it is released as analytics to advertisers and third parties.

Finally, a hospital/clinics have agents such as secretaries, nurses, and doctors who collect and record the health information of its patients. These are the data processors. The hospital then chooses what to do with this information through its doctors or its agents.

Simply put, the data controller controls the procedures and purpose of data usage while the data processor collates the information for the data controller. The data controller will be the one to dictate how and why data is going to be used by the organization. The data processor has no possessory rights over the data as it is an agent of the data controller.


The Act requires that data controllers and data processors need to register with the Data Protection Commissioner at the Data Registry and shall be issued with a Certificate of Registration if all the statutory requirements for registration are met.

The Commissioner shall prescribe thresholds required for the Mandatory registration of data controllers and data processors based on;

  1. The Nature of the Industry
  2. The volumes of data Processed
  3. The sensitivity of the data processed

This means while every person or company may be a data processor or a data controller, not all of them may qualify for mandatory registration due to the nature of work or volumes of data being processed. Despite the lack of mandatory registration, these companies will still be required to be observant of and compliant with the protection of personal data.

During registration, the organization must describe the type of personal data it processes, measures and safeguards for the protection of data and any measures towards the indemnification should there be a breach in the use of personal data.


A data protection officer is a role within a company or organization whose responsibility is to ensure that the company or organization is correctly protecting individuals’ personal data according to Act. This means that the officer will train the employees of the data controller/processors, ensure compliance with the law, facilitate capacity building of staff involved with data processing and provide a data protection impact assessment of the organization.

The choice to hire a data protection officer permanently depends on the volume, nature, and sensitivity of the data processed. However, organizations can choose to hire a consultant or share a data protection officer.


Data Subjects, being yourselves, are greatly empowered by the Act and through the following rights. The right to;

Be informed of the use of the data;

Access their data in the custody of a Data Controller or Processor;

Object to the processing of all or part of their data;

Correction of false or misleading data;

Consent to data is being collected;

Withdraw consent earlier granted to process data;

Object to the processing of data;

Notification of any personal data breach by an unauthorized party.


Data must be processed in a manner that: upholds the data subject’s right to privacy; lawfully; limited to the purpose for which it is collected; limited to the legitimate purpose for which it is collected; accurate and up to date;  kept in a form which identifies the data subjects for no longer than is necessary; and not transferred outside Kenya save as permitted in the Act.

The Data Controllers and Processors have an obligation to conduct a Data Protection Impact assessment where a processing operation is likely to result in a high risk to the rights of the Data Subject.

When transferring personal data outside the country, the Data Controller or Processor needs to give safeguards and proof that the data will be protected and where the data is sensitive, the data controller or processor shall require the consent of the data subject.


Section 51-55 of the Act provides for certain exemptions from complying with the principles of data protection. These include matters of national security, in course of purely personal/household activity, written law, court order, and publication of literary material for public interest or research.


The Act empowers a data subject to lodge a complaint at the Office of the Data Commissioner. The complaint is to be investigated within 90 day.

In the event that it is established that there has been a breach in the compliance of the Act, the Data Commissioner will issue an enforcement notice. This notice will require the person or entity served to comply with the provision of the Act in which they are non-compliant within a period prescribed by the notice. Failure to comply with the notice without sufficient reason is an offense that on conviction warrants a five million Kenya shillings fine or imprisonment for not more than 2 years or both.

Offences include obtaining information and disclosing personal data to third parties without authority where the Data Controllers and Data Processors are liable to a fine of three million Kenya Shilling or imprisonment for a term not exceeding ten years or both is applicable.

Data subjects who have suffered damage as a result of a contravention of their rights are entitled to compensation from the Data Controller or Data Processor. Damage, as defined by the Act, includes financial loss and non-financial loss like distress.


The Data Protection Act applies to every organization regardless of whether it has 5 employees or hundreds of employees. It will affect all industries and particularly organizations that process high volumes of data such as Schools, Hospitals, Employers, Banks, Trustees, Government bodies, the Judiciary, security agencies and the tech industry.

All these organizations need to implement technical and organizational measures to implement the Data Protection principles and integrate necessary safeguards in the processing of personal data.


The office of the Data Protection Commissioner is yet to be functionally created as at the date of publishing this article. However, this does not mean that organizations should sit idly by. Instead, they ought to prepare themselves by the creation of data policies, educating its staff on how to treat data, assess the risk of breach in their organization and work towards mitigation.

Organizations will have to come up with ways to encrypt data and formulate data-limiting processes, policies, and guidelines that will modify their data structures so as to mitigate data transfers and have their employees comply with the Act in the use of personal data. Currently, we have organizations that have policies against the use of social media, USB data transfer, use of personal emails at the office or with the office computer, and limitations on sites that a data controller can log into, to name but a few.

At MMW Advocates, we are keen on ensuring that our clients are fully informed so as to avoid issues of non-compliance. To that end, Kindly feel free to reach out to MMW Advocates in case you need your team trained on the Data Protection Act or in case of any queries.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.