The Data Protection Act of Kenya (the DPA) came into effect on 25 November 2019. The DPA enshrines internationally accepted data protection principles and standards. It is now the overarching legislation in Kenya that regulates the collection, processing and related actions in the handling, use and storage of personal data. The DPA applies to the processing of personal data by resident and non-resident data controllers and processors where the data subjects are located in Kenya and in addition, the DPA outlines the rights of data subjects.
Office of the Data Commissioner
The DPA provides for the establishment of the Office of the Data Commissioner as an independent office to oversee the implementation and undertake the responsibility for the enforcement of the DPA. The Office of the Data Commissioner is tasked with maintaining the register of data controllers and data processors, exercising oversight over data processing operations and has investigatory powers with respect to any alleged breach of the provisions of the DPA. We are pleased to report that the recruitment process for the Data Commissioner was recently initiated by the Public Service Commission. According to a vacancy notice published by the Public Service Commission, the Data Commissioner shall be appointed for a single term of six years and shall not be eligible for a reappointment. The deadline for the submission of applications is 14th April 2020 at 5:00pm (East African Time). The vacancy notice can be accessed here. We hope that the appointment will be confirmed over the next few months.
Putting it into Perspective
Since the commencement of the DPA, data controllers and processors have been unable to fully comply with certain obligations under the DPA such as the requirement to register with the Data Commissioner, conducting a data protection impact assessment, or approval of safeguards prior to any cross-border transfers. The recruitment of the Data Commissioner is therefore an important and much welcomed step in the full operalisation of the DPA.
Finally, with the recruitment underway, businesses and companies should promptly take steps to ensure that their operations and processes are in compliance with the DPA to avoid any enforcement actions that may be pursued by the soon-to-be appointed Data Commissioner.