Latest updates: Compliance with GDPR and Data Protection Act in Kenya

Registration is effective from the 14th of July 2022 for an organisations data controller/processor to register with the Government (grace period of 6 months).

Actions to support Data Privacy Regulations
In early 2022 Kenya’s new data protection regulations came into effect, governing what businesses inside and outside the country can do with information about Kenyan citizens. The law is far-reaching and will have a significant impact on how many companies process data. It represents a major step forward for people’s online privacy in the country.

Costs to organisations who fail to comply with the DPA

3,000,000 KSh

Individuals could face fines not exceeding three million shillings or an imprisonment term not exceeding ten years, or both.

5,000,000 KSh

Serious non-compliance could result in fines of up to five million shillings, or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower.

OneTrust demo

OneTrust provides comprehensive enterprise privacy management software to help organisations operationalize compliance and privacy by design.
More information about OneTrust

Request a demo of OneTrust software, and how it can better support a robust compliant policy for the GDPR and Data Protection Regulations.

So, what should you do next?

  • Registration is effective from the 14th of July 2022 for an organisations data controller/processor to register with the Government. There is a grace period of 6 months to do so
  • Those exempted from the registration are sectors whose revenue/turnover is less than Ksh.5million(USD50,000) and less  than 10 employees
  • If eligible, the Data controller/processor is required to submit a DPR1 form which requires you to provide information on the entities involved and the type of activities being undertaken
  • To be fully registered, you have to pay the registration fee prescribed depending on how the Data controllers/processors have been classified
  • After registration, you are issued a certificate of registration which is valid for a period of 2 years which is renewable

5 categories of registration fee:

  1. Micro/Small (Revenue of Ksh.5 Million & 1-50 employees)
  2. Medium (Revenue above Ksh.5Million but <Ksh.50 million & 51-99 employees)
  3. Large (Revenue of >Ksh.50 million & >99 employees)
  4. Public sectors
  5. Charities & religious entities (This is regardless of Revenue)

Mandatory registration requirement sectors include:

  1. Security/Crime prevention
  2. Transport services firms
  3. Hospitality
  4. Educational institutions
  5. Healthcare
  6. Telecommunications network/service providers

Guidance on registering from Millicent Alusa, Certified Privacy Professional.

DPA and GDPR support

Kenya ODPC registration quick guide for Data Processors and Controllers


Kenya’s data protection laws are now in effect: how to comply.

Read the article

Annual Compliance Program Checklist from OneTrust to help recommend actions to help your business work towards GDPR compliance and identify compliance gaps in your program.

Download the guide

The Data Protection Act impacts many areas of an organisation

Legal and compliance

Risk, Compliance and Legal Officers


Privacy strategies, resourcing, and organisational controls will need to be revised.


Implement and maintain audit trails and data journeys to proactively and comprehensively view your data and ability to demonstrate compliance with the Data Protection Act requirements.


Technology, Information & Security Officers


Technology to enable information security and other compliance initiatives, will need to be reconsidered, refocused and repurposed.


Build a platform that has privacy at the forefront of the design, build and deployment – such as data access  requests, data retention, right to be forgotten, breach notification and international and 3rd party  data transfers.


Data and Operating Officers


New Information management activities are required which specifically link to compliance demands.


Ensure data is protected, governed, managed and utilised effectively  in line with the organisation’s strategy

Gain visibility. Take action. Drive automation.

OneTrust unlocks every company’s potential to thrive by doing what’s good for people and the planet. Whether you’re a small company or a large enterprise, our Trust Intelligence Platform connects data, teams, and processes—so you can collaborate seamlessly and put trust at the center of operations and culture.

Global privacy laws like the CCPA, GDPR, and others, have required organisations to change the way they think about privacy. Now, organisations must find ways to effectively manage consumer requests, meticulously document processing activities and data transfers, and stay on top of a rapidly evolving regulatory landscape.

OneTrust demo

OneTrust offers powerful and easy-to-use compliance solutions that are purpose-built to solve challenges at scale – allowing organisations to simplify their privacy program management.  Request a demo now!

Request a demo

How FITTS services can help you

Technical and organisational measures

Ensure you are collecting, processing and disposing of Personal Data in accordance with the principles of the GDPR while put in place technical measures to safeguard Personal Data throughout the period of control.

Communication, Training & Awareness

Creating a high level of organisational awareness on privacy ensures that the organisation’s employees know and follow the rules.

Privacy Operations

Embedding privacy into your organisation's project methodology. This is done by  efficient and practical guidance during conception of a new or changed product or  service (Privacy by Design) as well as assessing new and existing systems following  the established Privacy Impact Assessment method.

Design, build and manage IT solutions

Ensure your data is as efficiently as possible, protected, governed, managed and utilised effectively in line with your organisation’s strategy.