Skip to content

Kenya: International Data Privacy Day – A Year in Review

27 January 2023
– 3 Minute Read

DOWNLOAD ARTICLE

Share on LinkedIn

Early last year, three sets of regulations were enacted to give effect to the provisions of the Data Protection Act, No. 24 of 2019 namely: the Data Protection (General) Regulations (‘General Regulations’), the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (‘Complaints Regulations’), and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (‘Registration Regulations’), collectively (the ‘Regulations’). The Regulations enabled the Office of the Data Protection Commissioner (‘ODPC’) to execute its mandate under the DPA setting in motion some much lauded developments for data privacy in Kenya.

Taking stock of 2022

  • In addition to the Regulations, the ODPC has published several useful guidance notes including the ongoing registration of data controllers and data processors, data protection impact assessments, and consent.  These can be accessed here.
  • Registration commenced on 14th July 2022 and we have seen a number of entities comply with this requirement. We should re-emphasise that registration is only one component of compliance. See our update on this here.
  • The ODPC has issued various enforcement notices and its first penalty notice. Our analysis of the enforcement actions can be accessed here.  These actions by the ODPC indicate the manner in which complaints will be upheld and enforced by the ODPC and provide insight into how organisations should respond to such investigations by the ODPC.
  • Collaboration between the ODPC and other sector-specific regulators to ensure compliance. For instance, the Central Bank of Kenya (Digital Credit Providers) Regulations, 2022 requires applicants to submit copies of data protection policies and procedures as part of the application process. The ODPC also issued a press release to the effect that it will conduct an audit on 40 digital credit providers whose data processing practices were the subject of complaints.
  • The ODPC continues to actively engage stakeholders and create awareness on data protection compliance requirements across different sectors.

Things to watch out for this year

  • We anticipate more enforcement action and issuance of penalty notices by the ODPC. Similarly, we expect that appeals to the High Court may arise from the decisions issued by the ODPC.
  • Adequacy decisions for countries deemed to have adequate data protection laws.
  • The issuance of sector-specific data protection guidelines such as guidelines on data protection compliance in the private security, insurance, financial and health sectors.
  • A focus on trainings, sector-specific and county-level engagements, and awareness campaigns for data subjects.

What did we learn

The Regulations, and in particular the Registration Regulations, had the benefit of raising awareness of the compliance requirements under the Data Protection Act 2019 (“Act”) and showing what the ODPC’s “muscle” was capable of.  In addition, we hope that new sector-specific guidelines will assist some of the more crucial sectors of the economy in navigating compliance requirements and ensuring that data collection and processing is efficient and effective both in terms of serving business needs and achieving the balance of respecting data subject rights.

Importantly, whilst organisations across all sectors are increasingly aware of their compliance requirements under the Act, a practical understanding of how the Act operates is crucial to implementing a shift in organisational processes and mindsets.  Privacy policies and records of processing activities must continue to be live and active documents, serving as regular reminders of lawful and proper data collection and handling practices.  Compliance is a process and not a one-time event. Therefore, we recommend that entities: (i) conduct data protection audits to ensure their personal data processing activities comply with the provisions of the DPA and Regulations; (ii) have in place compliant documentation to guide compliance; and (iii) create awareness through regular trainings.