KENYA: DATA PROTECTION: GETTING READY FOR REGISTRATION
In our previous update, we provided a summary of the key provisions contained in the Data Protection (General) Regulations, 2021 (“General Regulations”), the Data Protection (Complaints Handling and Enforcement Regulations), 2021 (“Complaints Handling Regulations”), and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021(“Registration Regulations”) (together “the Regulations”). Now that the Regulations have been approved, we will take a closer look at the Registration Regulations, which provide clear guidelines on the registration process for data controllers and data processors. These Registration Regulations are instrumental in implementing the requirement under the Data Protection Act, 2019 (the DPA) for data processors and data controllers to be registered with the Office of the Data Protection Commissioner (the ODPC).
When do I need to register?
Data controllers and data processors have a six (6) months grace period from the date of publication of the Registration Regulations to get their house in order. There has been some confusion on the registration date, and we now understand that the requirement to register will take effect from 14th July 2022 as opposed to by 14th July 2022. The portal has not yet been launched.
With barely a few months to the deadline, it is important that data controllers and data processors take note of the following tips in preparation for the registration:
In our previous update, we outlined the exemption thresholds and the sectors that would be subject to the mandatory registration requirements. However, sectors that need to be alert to the mandatory registration requirements include security/crime prevention, educational institutions, provision of patient health care, telecommunications network or service providers, transport services firms (including online passenger hailing applications), and hospitality. Data controllers or processors with an annual turnover (i.e., applicable to non-profit entities)/revenue (i.e., applicable to profit-making entities) below than Kshs 5 million (approx. USD 50,000) for the year immediately preceding registration, and less than 10 employees are exempted from registration.
Remember, unless exempt from registration, you cannot act as a data controller or processor in Kenya unless you have registered with the ODPC.
Application requirements and process
- The Registration Form:
If eligible for registration, a data controller or processor is required to submit the form prescribed in the Registration Regulations (the “DPR 1”). The DPR1 requires you to provide information on the entities involved and the type of processing activities being undertaken, including:
- the categories and description of personal data being collected and processed and the purpose for such processing;
- risks to personal data and safeguards to hedge against such risks;
- (if applicable), types of sensitive personal data collected and processed and the purpose for its processing;
- if personal data is transferred outside Kenya, the name of country(ies)to which personal data is transferred; and
- the previous annual turnover/revenue of the entity seeking to be registered.
- Registration Fees
To be registered as a data controller or processor, an applicant must pay the prescribed fee, which varies depending on the category within which the data controller or data processor falls. The Registration Regulations classifies data controllers and data processors for purposes of registration/certificate renewal fees into:
- micro and small data controllers /processors, (e., those with an annual turnover/revenue of Kshs. 5 million and 1 to 50 employees);
- medium data controllers /processors (i.e., those with an annual turnover/revenue of above Kshs. 5 million but less than Kshs. 50 million and 51 to 99 employees);
- large data controllers and processors (i.e., those with an annual turnover/revenue of more than Kshs. 50 million and more than 99 employees);
- public entities; and
- charities and religious entities (regardless of revenue/turnover).
- Issuance of a registration certificate
Upon submission of the application form and requisite documents via the online registration portal and payment of the registration fees, the ODPC will undertake a verification process of the information provided. If satisfied, the ODPC will then issue the applicant with a certificate of registration and enters the successful applicant’s details in the register of data controllers and processors.
The certificate of registration issued is valid for a period of two (2) years (renewable).
The Registration Regulations are an urgent call for data processors and data controllers to take deliberate steps to ensure compliance with the DPA. Such steps would typically include a review of data processing frameworks, activities and policies, putting in place data protection agreements with third parties and generally seeking legal advice where necessary.