In early 2022 Kenya’s new data protection regulations came into effect, governing what businesses inside and outside the country can do with information about Kenyan citizens. The law is far-reaching and will have a significant impact on how many companies process data. It represents a major step forward for people’s online privacy in the country.
However, according to one survey by a software company, 36% of Kenyan businesses are not even aware of the rules – and many of the rest are unclear about how to comply.
Let’s get up to date with what Kenya’s data protection laws mean for your business – and how you can comply.
Key facts about Kenya’s data protection rules
In 2019, Kenya introduced its Data Protection Act. The following year the country set up the office of its Data Protection Commissioner, who then specified three regulations which came into effect in February 2022:
- The Data Protection (General) Regulations
- Registration of Data Controllers and Data Processors Regulations
- Complaints Handling and Enforcement Procedures Regulations
For a comprehensive overview of the new rules, read this expert overview on the CMS law website.
Here are some of the key implications of Kenya’s data protection regulations:
- It is now unlawful to collect, process or disclose a data subject’s (an individual person) information without their permission
- It is now illegal to sell any personal data without express consent
- If you process people’s data, you must be registered with the office of the data commissioner
- You must comply with the rules in the Data Protection Act, including the so called ‘right to be forgotten’
- You must notify the Data Protection Commissioner’s office within 72 hours of a data breach
- Most kinds of data about Kenyan citizens cannot be moved outside the country without their permission
Penalties for non-compliance are significant. The maximum fines reach KES 5 million, or 1% of a business’s annual turnover (whichever is lower).
Cybersecurity: Learn about the Zero Trust model to keep data safe
What Kenya’s data protection regulations mean for your business
If your business collects information about Kenyan citizens in any digital format (whether you’re based inside or outside the country), Kenya’s new data protection regulations will impact you in various ways:
- Changes what data you can collect: You will need to reassess your current data collection strategies and decide whether or not the information you’re collecting and processing is permitted.
- Get permission: You must request permission from the data subject if you wish to hold and process their information (including cookies on your website).
- Store the data in Kenya: Unless you have express permission from the data subject, most data you collect will need to be stored within Kenya’s territorial boundaries (in either a server or a cloud data centre).
- Tell the data commissioner if you have a breach: If your data gets breached, you must notify the Data Protection Commissioner within 72 hours.
- Data protection officer: Many Kenyan businesses will need to appoint a data protection officer whose job will be to monitor internal data processing activities and ensure compliance.
- Privacy by design: Kenya’s data protection laws require businesses to demonstrate they are following the notion of ‘privacy by design’. You must ensure your databases and IT systems meet the highest cybersecurity standards.
Recommended: 3 simple cybersecurity steps for Kenyan businesses
Where to start with Kenya’s data protection regulations
Given the size of fines for failures (not to mention reputational damage) it is vital to ensure you become compliant as soon as possible. The following four steps can help you begin your journey to compliance with Kenya’s data protection regulations.
- Current data management assessment: You first need to get a picture of what data you hold, what format it’s held in, where it’s held, and the level of detail. You can then decide whether you’re currently complying with the Data Protection Regulations and change your processes if necessary.
- Register with the Data Protection Commissioner: If you hold and process people’s private data, you must register with the Data Protection Commission (even if you’re based outside of Kenya). The process that can be done relatively quickly online.
- Change processes where necessary: If you’re currently holding data or processing it in a way that is out of step with the regulations, you must now change this.
- Upgrade technology: To comply with Kenya’s data protection regulation, you might need to update your technology systems to ensure security by design, to track possible breaches, and to encrypt data at rest and in transit.
Case study: How Equity for Tanzania ensures secure data management
FITTS helps you comply with Kenya’s data protection regulations
Complying with new data protection regulations can be challenging – especially if your data is currently held in several different servers, managed by different employees, and processed for different reasons.
And this is where FITTS helps. Our highly experienced teams know Kenya’s data protection rules inside out, and can support you to comply with the new rules. Our Nairobi-based teams will conduct in-depth assessments of your data protection policies, recommend how to comply with the law, and implement new technologies to identify breaches and improve your cybersecurity processes.
Contact FITTS today for an initial assessment of your data management policies and start complying with Kenya’s new data protection regulations.
Tom Mcdowall
Tom has 8 years of experience working with global teams to deliver strategic digital transformations - helping clients improve collaboration, ways of working, business processes, operations and mobility.
In 2018, Tom opened the East Africa office for FITTS in Nairobi. He is passionate about the impact modern workplace technology is going to have on the way Sub-saharan Africa competes in the global marketplace and the role FITTS can play in supporting that journey.
During the past 8 years of digital transformation, Tom has worked in London, Saudi Arabia and Nairobi for clients such as Barclays Bank, UK Department of Work And Pensions, Unilever, Saudi Telecom Company, MS Amlin Insurance and a nuclear energy generator. However, regardless of the geography or the industry the ultimate objective has been the same – drive change that re-imagines the way people work every day.