Skip to content

Kenya: Data Protection – Let’s Talk Compliance, Enforcement and Penalties

12 October 2022
– 3 Minute Read
October 12 | Data Protection

DOWNLOAD ARTICLE

Kenya: Data Protection – Let’s Talk Compliance, Enforcement and Penalties

12 October 2022
- 3 Minute Read

October 12 | Data Protection

DOWNLOAD ARTICLE

Brief snapshot of where we are

On 19th November 2022, the Data Protection Act, 2019 (the ‘DPA’) will mark 3 years since it came into force. Various regulations have since been published to operationalize the provisions of the DPA, such as: the Data Protection (General) Regulations, the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, collectively (the ‘Regulations’). The Office of the Data Protection Commissioner (the ‘ODPC’) has been operational since March 2021. During this period, the ODPC has been actively engaging stakeholders and calling for and emphasizing on compliance with obligations under the DPA and the Regulations. As entities acting as data controllers and data processors seek to take steps to ensure continued compliance with the DPA, the ODPC continues to sensitize individuals and companies in respect of their rights and obligations under the legislation. 

ODPC’s continued call for compliance

The ODPC’s mandate to increase awareness of data protection has been constant and well implemented.  The ODPC has called on all persons who are subject to the DPA and the Regulations to take measures to comply with their mandatory obligations. For example, since the obligations for registration of data controllers and data processors became effective on 14th July 2022 with the launch of the online registration portal, we have seen calls from the ODPC urging data controllers and data processors to submit their registration. The ODPC has also recently made statements in the media providing statistics on the number of entities that have complied with or are in the process of complying with their registration obligations. Further, and in line with the Regulations, the ODPC has also now published a list of registered data controllers or data processors that is accessible from its website. As at 11th October 2022, the register shows validation of 334 persons/entities as registered data controllers and/or processors. 

Compliance as an ongoing obligation

There are no hard deadlines set for compliance with obligations under the DPA and the Regulations, as we highlighted here in our previous update. However, the absence of hard deadlines should not lead to complacency. Compliance is equally not a milestone that can be reached and abandoned, it is a continuous obligation. Even after registering as a data controller and/or a data processor, entities must ensure that they continue to be compliant with any requirements under the DPA and the Regulations that are applicable to their operations and business activities.  However, in as much as compliance is not an event with defined deadlines, it is important to also be cognizant of the potential enforcement actions that can be exercised by the ODPC under the DPA and the Regulations in the event of non-compliance.

Enforcement actions and penalties

In a recent press release issued by the ODPC on 5th October 2022, Commissioner Kassait has provided fresh statistics on complaints and audits being carried out by her office.  The press release indicated that as at 30th September 2022, the ODPC had received 1,030 complaints and admitted 555 complaints – over 50% of complaints received related to digital lenders. Additionally, through the same press release, the ODPC notified members of the public in relation to a recently issued enforcement notice.  These actions by the ODPC certainly indicate and demonstrate the ODPC’s proactive efforts in ensuring compliance and in raising awareness.

Enforcement Notices and Penalty Notices

Please note that, in addition to the above, other remedies under the DPA and the Regulations include dismissal of a complaint where the complaint lacks merit, as well as an order for compensation to the data subject/complainant by the respondent to the complaint.