Kenya's Data Protection Act 2019: What Organisations Must Do Before the Deadline

The Kenya Data Protection Act 2019 (DPA 2019) is no longer just a compliance checkbox — it is an actively enforced piece of legislation with real penalties. The Office of the Data Protection Commissioner (ODPC) has intensified its enforcement posture, completing registration of Data Controllers and Processors and beginning to issue enforcement notices to non-compliant organisations.

For organisations that have not yet taken DPA 2019 compliance seriously, the window to act proactively — rather than reactively — is narrowing.

What the DPA 2019 Requires: Key Obligations

1. Registration as a Data Controller or Processor

Any organisation that processes personal data of Kenyan data subjects is required to register with the ODPC. Failure to register is itself a breach of the Act, attractable to a fine of up to KES 3 million or two years' imprisonment for individuals.

2. Appointment of a Data Protection Officer (DPO)

Organisations that process data at scale — including financial institutions, hospitals, telcos, schools, and government agencies — must appoint a qualified Data Protection Officer. The DPO must have adequate knowledge of data protection law and practice. Many organisations lack the internal expertise to fill this role effectively.

"ISOLS offers DPO-as-a-Service — providing your organisation with a qualified, experienced data protection officer without the cost of a full-time hire." — Wambui Njoroge, ISOLS Advisory Lead

3. Data Subject Rights

The DPA grants data subjects a suite of rights that organisations must be able to fulfil within defined timeframes:

• Right of access to personal data held about them
• Right to rectification of inaccurate data
• Right to erasure (the "right to be forgotten")
• Right to object to processing
• Right to data portability

Meeting these rights requires that organisations have a clear data inventory — knowing what personal data they hold, where it lives, and who can access it. Without this, fulfilling a data subject access request within the required 30-day window is practically impossible.

4. Lawful Basis for Processing

Every data processing activity must have a lawful basis. Consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests are all recognised bases — but each has specific requirements and limitations. Organisations must document their lawful basis for every processing purpose.

5. Data Breach Notification

The DPA requires notification to the ODPC within 72 hours of becoming aware of a personal data breach. Affected data subjects must also be notified "without undue delay." Many organisations currently have no breach detection and notification process in place — making compliance with this requirement impossible without the right technical controls.

6. Cross-Border Data Transfers

Personal data of Kenyan data subjects may only be transferred to countries with adequate data protection laws, or with appropriate safeguards in place (e.g., Standard Contractual Clauses). Organisations using cloud services hosted outside Kenya must ensure their contracts include appropriate data transfer mechanisms.

Common Compliance Gaps We See

From our advisory engagements across Kenyan organisations, the most common DPA compliance gaps are:

• No data inventory: Organisations cannot articulate what personal data they hold, where it is stored, or who processes it.
• Consent mechanisms not fit for purpose: Pre-ticked boxes, bundled consent, and consent buried in T&Cs do not meet DPA standards.
• No DPO or a DPO without adequate knowledge: A title doesn't equal competence — many appointed DPOs have no formal data protection training.
• No breach response process: Without detection controls and a tested response playbook, meeting the 72-hour notification requirement is impossible.
• Vendor contracts missing DPA clauses: Third-party processors (cloud providers, payroll systems, marketing agencies) must be bound by appropriate data processing agreements.

A Practical 90-Day DPA Compliance Roadmap

Days 1–30: Discover and Assess

• Conduct a data mapping exercise — inventory all personal data, systems, and processing activities
• Assess current state against DPA requirements via a structured Gap Assessment
• Register with the ODPC if not yet done
• Identify and appoint (or retain) a qualified DPO

Days 31–60: Remediate Priority Gaps

• Update privacy notices and consent mechanisms across all customer touchpoints
• Implement technical controls for data subject rights fulfilment
• Deploy DLP and data classification tools to enforce data governance policies
• Review and update all third-party processor contracts

Days 61–90: Operationalise and Train

• Develop and test a Data Breach Response Plan (including ODPC notification process)
• Conduct staff training on data protection obligations and internal policies
• Establish ongoing compliance monitoring and reporting cadence
• Submit Record of Processing Activities (ROPA) to the ODPC