Data Protection Law in Kenya


The Data Protection Act, 2019

In keeping up with modern-day developments that require the involvement of codified regulations, Kenya adopted the Data Protection Act on 8th November 2019 via presidential assent.

The Act enters into Kenya’s array of laws as the regulatory document for all matters data. Its objective is to regulate data processing, to protect people’s privacy and to provide Kenyans with remedies on the occasion of undue use of their private data.

Highlights of the Data Protection Act, 2019

Scope of application of the new law

  • The Act will apply to data entered by Data Controllers (DCs) and Data Processors (DPs) via both automated and non-automated means.
  • Crucially, DCs and DPs that are not resident in Kenya will still be under the command of the new law as long as the processed data is that of subjects located in Kenya.

Principles of Data Protection

Data-controlling and data-processing companies now have stringent rules to abide by. We highlight some here.

  • Data collection must be for specified, legitimate purposes.
  • Collected data must be accurate and inaccuracies must be amended or deleted promptly.
  • Personal data is to be kept only for the period of time for which it will be relevant to its stated purpose.

Rights of Data Subjects

A data subject is a natural person (thus excluding juristic persons) from whom data has been collected. The Act introduces rights of data subjects, being the rights to:

  • Be informed of the intention of collection of the data;
  • Have false or misleading data corrected/deleted promptly (The Right to Rectification and Erasure);
  • Object to the processing of one’s personal data; and
  • Be able to access one’s data possessed by the collector/processor.

Data Protection Officers (DPOs)

  • DCs and DPs may assign or hire a data protection officer. This would be essential especially in entities possessing data that requires regular monitoring and handling.
  • The DPO can be a staff member of the DC/DP or an external expert and can act as such for more than one entity at a time – as long as he/she will be accessible to each entity as required.
  • Obviously, the DPO ought to be a professional knowledgeable in the field of data protection or related sectors.

Key Words and Phrases

  • Pseudonymisation is the processing of personal data in such a way that the data can no longer be attributed to a specific person without using further separately-kept corroborative data. DCs and DPs are obligated by the Act to introduce measures or security features that enable pseudonymisation as a security feature.
  • The Act provides that sensitive personal data is data on a person’s race, health, ethnicity, beliefs and socio-personal details (marital status, children, sex, etc.). The Act provides that sensitive personal data should only be processed in accordance with strict guidelines of privacy, fairness and transparency.

Essential Regulatory Introductions

  • All DCs and DPs must be registered as such. Prior to registration, the DCs and DPs must demonstrate to the Commissioner their capabilities with regard to security measures, capacity to indemnify subjects, among other criteria.
  • There is no set limit for the validity of registration certificates – the Commissioner will determine the validity of certificates on a need-to-have basis. The certificates are renewable if an extension is required.

M&K Advocates Advisory Statement

  • The new Act provides a strict framework for management of data in Kenya, which has often been quoted as the Silicon Savannah – the data and tech capital of Africa.
  • It therefore goes without saying that a myriad of entities, from large corporates, to medium-sized firms, to small start-ups, will all be affected by this Act. These entities must therefore streamline operations accordingly.
  • The Act is much more detailed, and this newsletter provides just but a snippet of the general feel of the new law. We at Muma & Kanjama Advocates are ready and willing to train and partner with companies, firms and organizations in order to advise further on the matter of data protection as per the new law.

                                – by Jeffrey Kirira, Associate


                                Or +254 726 006 102

                                Or at

Leave a Reply