Kenya Data Protection Act | Kenya DPA
The Trust Challenge

Key obligations and consequences

The Data Protection Act in Kenya is applicable to data controllers or data processors who process personal data of data subjects located within the country of Kenya and who are either established or resident in or outside of Kenya. This means, Kenya’s Data Protection Act has both territorial and extraterritorial scope of application, which is one of the similarities with the EU’s GDPR.

The Act seeks to

  • Give effect to Article 31(c) and (d) of the Constitution that contain the right to privacy;.
  • Establishment of the Office of the Data Commissioner.
  • Regulate the processing of personal data.
  • Provide for the rights of data ‘subjects’
  • Obligations of data ‘controllers’ (Person who determines the purpose and means of processing of personal data) and ‘processors’ (Person who processes personal data on behalf of the data controller).

The Act requires Data Controllers and Processors to process data lawfully; minimise collection of data; restricts further processing of data; requires data controllers and processors to ensure data quality; that they establish and maintain security safeguards to protect personal data.

The Act requires that any person who acts as a data controller or data processor must be registered with the Data Commissioner. Therefore, once the office of the Data Commissioner is established, organisations meeting the definition of a controller or processor will need to register as such, and renew their registration every 3 years.

  • Every data controller or data processor is required to ensure the storage, on a server or data centre located in Kenya, of at least one serving copy of personal data to which the Act applies.
  • Cross-border processing of sensitive personal data is prohibited and only allowed when certain conditions are met or under certain circumstances specified in the Act (Part IV – 48 – 50).
  • A data controller or data processor may transfer personal data to another country where
    • The data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data.
    • The data subject has given explicit consent to the proposed transfer, after having been informed of the possible risks of the transfer such as the absence of appropriate security.
    • Safeguards.
    • The transfer is necessary for performance of a contract.
The Trust Challenge

Key Challenges in brief:

Infringement of provisions of the Kenya Data Protection Act (DPA) will attract a penalty of not more than KES 5 million or, in the case of an undertaking, not more than 1% of its annual turnover of the preceding financial year, whichever is lower. Individuals will be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.

DPA will apply to all companies processing the personal data of data subjects residing in Kenya, regardless of the company’s location.

Must be provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Data subjects can request confirmation whether or not their personal data is being processed, where and for what purpose. Additionally, data subjects can request to be forgotten, which entails the removal of all the data related to the data subject.

Notify the Data Commissioner within seventy-two hours of becoming aware of a breach and to the data subject in writing within a reasonably practical period.

Now a legal requirement for the consideration and inclusion of data protection from the onset of the designing of systems, rather than a retrospective addition.

Organizations must maintain a record of processing activities under its responsibility or, in short, they must keep an inventory of all personal data processed. The inventory must include multiple types of information, such as the purpose of the processing.

Depending on the type of personal data and intensity of processing activities, an organization may be required to appoint a Data Protection Officer to facilitate the need to demonstrate compliance to the Act.

Win-Win Situation

Solutions

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key Obligations & Consequences

Pointer

Applicability of the Law

The Data Protection Act in Kenya is applicable to data controllers or data processors who process personal data of data subjects located within the country of Kenya and who are either established or resident in or outside of Kenya. This means, Kenya’s Data Protection Act has both territorial and extraterritorial scope of application, which is one of the similarities with the EU’s GDPR.

Pointer

Purpose of the Act

The Act seeks to

  • Give effect to Article 31(c) and (d) of the Constitution that contain the right to privacy;.
  • Establishment of the Office of the Data Commissioner.
  • Regulate the processing of personal data.
  • Provide for the rights of data ‘subjects’
  • Obligations of data ‘controllers’ (Person who determines the purpose and means of processing of personal data) and ‘processors’ (Person who processes personal data on behalf of the data controller).
Pointer

Data Protection Principles

The Act requires Data Controllers and Processors to process data lawfully; minimise collection of data; restricts further processing of data; requires data controllers and processors to ensure data quality; that they establish and maintain security safeguards to protect personal data.

Pointer

Registration of Data Controllers and Processors

The Act requires that any person who acts as a data controller or data processor must be registered with the Data Commissioner. Therefore, once the office of the Data Commissioner is established, organisations meeting the definition of a controller or processor will need to register as such, and renew their registration every 3 years.

Pointer

Transfer of Personal Data Outside Kenya

  • Every data controller or data processor is required to ensure the storage, on a server or data centre located in Kenya, of at least one serving copy of personal data to which the Act applies.
  • Cross-border processing of sensitive personal data is prohibited and only allowed when certain conditions are met or under certain circumstances specified in the Act (Part IV – 48 – 50).
  • A data controller or data processor may transfer personal data to another country where
    • The data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data.
    • The data subject has given explicit consent to the proposed transfer, after having been informed of the possible risks of the transfer such as the absence of appropriate security.
    • Safeguards.
    • The transfer is necessary for performance of a contract.
The Trust Challenge

Key Challenges in brief:

Pointer

Penalties for non compliance

Infringement of provisions of the Kenya Data Protection Act (DPA) will attract a penalty of not more than KES 5 million or, in the case of an undertaking, not more than 1% of its annual turnover of the preceding financial year, whichever is lower. Individuals will be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.

Pointer

Increased territorial scope

DPA will apply to all companies processing the personal data of data subjects residing in Kenya, regardless of the company’s location.

Pointer

Explicit and retractable consent from data subjects

Must be provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

  • Entitles a data subject to ask a business operator to stop using personal data when a business operator handling personal information does not need to use personal data any more, the personal data is leaked or the data subject's right or interest may be undermined.
  • Entitles a data subject to ask a business operator handling personal information to disclose a record of the provision of its personal data to any third party.
  • Entitles a data subject to designate a method by which personal data retained by a business operator should be disclosed to the data subject.
  • Consideration and implementation of preventive measures.
  • Notifications to any person (to whom the personal information belongs) affected by the data breach etc.
  • Prompt public announcement of the facts of the data breach, etc. and preventive measures to be taken
  • Prompt notifications to the PPC about the facts of the data breach, etc. and preventive measures to be taken except for where the data breach, etc. has caused no actual, or only minor, harm (e.g., wrong transmissions of facsimiles or emails that do not include personal data other than names of senders and receivers).
Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us