Latest updates: Compliance with GDPR and Data Protection Act in Kenya
Registration is effective from the 14th of July 2022 for an organisations data controller/processor to register with the Government (grace period of 6 months).
Actions to support Data Privacy Regulations
In early 2022 Kenya’s new data protection regulations came into effect, governing what businesses inside and outside the country can do with information about Kenyan citizens. The law is far-reaching and will have a significant impact on how many companies process data. It represents a major step forward for people’s online privacy in the country.
Costs to organisations who fail to comply with the DPA
3,000,000 KSh
Individuals could face fines not exceeding three million shillings or an imprisonment term not exceeding ten years, or both.
5,000,000 KSh
Serious non-compliance could result in fines of up to five million shillings, or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower.
OneTrust demo
OneTrust provides comprehensive enterprise privacy management software to help organisations operationalize compliance and privacy by design.
More information about OneTrust
Request a demo of OneTrust software, and how it can better support a robust compliant policy for the GDPR and Data Protection Regulations.
So, what should you do next?
- Registration is effective from the 14th of July 2022 for an organisations data controller/processor to register with the Government. There is a grace period of 6 months to do so
- Those exempted from the registration are sectors whose revenue/turnover is less than Ksh.5million(USD50,000) and less than 10 employees
- If eligible, the Data controller/processor is required to submit a DPR1 form which requires you to provide information on the entities involved and the type of activities being undertaken
- To be fully registered, you have to pay the registration fee prescribed depending on how the Data controllers/processors have been classified
- After registration, you are issued a certificate of registration which is valid for a period of 2 years which is renewable
5 categories of registration fee:
- Micro/Small (Revenue of Ksh.5 Million & 1-50 employees)
- Medium (Revenue above Ksh.5Million but <Ksh.50 million & 51-99 employees)
- Large (Revenue of >Ksh.50 million & >99 employees)
- Public sectors
- Charities & religious entities (This is regardless of Revenue)
Mandatory registration requirement sectors include:
- Security/Crime prevention
- Transport services firms
- Hospitality
- Educational institutions
- Healthcare
- Telecommunications network/service providers
Guidance on registering from Millicent Alusa, Certified Privacy Professional.
DPA and GDPR support
Kenya ODPC registration quick guide for Data Processors and Controllers
Kenya’s data protection laws are now in effect: how to comply.
The Data Protection Act impacts many areas of an organisation
Legal and compliance
Risk, Compliance and Legal Officers
Challenges
Privacy strategies, resourcing, and organisational controls will need to be revised.
Solutions
Implement and maintain audit trails and data journeys to proactively and comprehensively view your data and ability to demonstrate compliance with the Data Protection Act requirements.
Technology
Technology, Information & Security Officers
Challenges
Technology to enable information security and other compliance initiatives, will need to be reconsidered, refocused and repurposed.
Solutions
Build a platform that has privacy at the forefront of the design, build and deployment – such as data access requests, data retention, right to be forgotten, breach notification and international and 3rd party data transfers.
Data
Data and Operating Officers
Challenges
New Information management activities are required which specifically link to compliance demands.
Solutions
Ensure data is protected, governed, managed and utilised effectively in line with the organisation’s strategy
Gain visibility. Take action. Drive automation.
OneTrust unlocks every company’s potential to thrive by doing what’s good for people and the planet. Whether you’re a small company or a large enterprise, our Trust Intelligence Platform connects data, teams, and processes—so you can collaborate seamlessly and put trust at the center of operations and culture.
Global privacy laws like the CCPA, GDPR, and others, have required organisations to change the way they think about privacy. Now, organisations must find ways to effectively manage consumer requests, meticulously document processing activities and data transfers, and stay on top of a rapidly evolving regulatory landscape.
OneTrust demo
OneTrust offers powerful and easy-to-use compliance solutions that are purpose-built to solve challenges at scale – allowing organisations to simplify their privacy program management. Request a demo now!
How FITTS services can help you
Technical and organisational measures
Ensure you are collecting, processing and disposing of Personal Data in accordance with the principles of the GDPR while put in place technical measures to safeguard Personal Data throughout the period of control.
Communication, Training & Awareness
Creating a high level of organisational awareness on privacy ensures that the organisation’s employees know and follow the rules.
Privacy Operations
Embedding privacy into your organisation's project methodology. This is done by efficient and practical guidance during conception of a new or changed product or service (Privacy by Design) as well as assessing new and existing systems following the established Privacy Impact Assessment method.
Design, build and manage IT solutions
Ensure your data is as efficiently as possible, protected, governed, managed and utilised effectively in line with your organisation’s strategy.
Data Privacy and Protection in Kenya: A Regulatory Review 2022
This document has been developed to provide a review of the regulatory framework for data protection in Kenya. The objective of this review is to provide guidance to firms on the impact of DAPA and the extent to which both GDPR and CCPA apply to their businesses and operations. The document provides a detailed regulatory assessment of DAPA against the various articles and recitals in both the GDPR and the CCPA. This comparison identifies some of the challenges that fintech and other firms might face during implementation. However, it is not just about identifying the potential challenges. The document goes further to provide policy recommendations to strengthen the regulatory framework and enhance market function.