Key Developments on Data Protection in Kenya

It has been over 100 days since the appointment of Kenya’s first Data Commissioner. The Data Commissioner is in charge of data protection compliance and enforcement. Let us consider some of the developments that have happened in this time.

1. Establishment of an Office

The Data Commissioner’s office is situated within the premises of the Communications Authority of Kenya. This is an interim arrangement which is expected to last for a period of one year. In the meantime, plans are underway to identify and close on suitable office premises. 

Apart from this, the Data Commissioner has developed a Citizen Service Delivery Charter in which sets out its promises and commitments on service level delivery.

2. Online Resources

The Data Commissioner launched its website which can be accessed here. The site contains several resources on Data Protection. Firstly, it provides a means for persons to lodge complaints with the Data Commissioner. In addition, it provides a way for organisations to report personal data breaches. Apart from this, the website outlines applicable data protection principles, rights of data subjects and the way in which those rights may be exercised.

Finally, the site also contains some guidelines on two key data protection concepts i.e., Consent and Data Protection Impact Assessments. The guidelines on consent set out the minimum expectations on seeking and obtaining data subject consent when processing personal data. On the other hand, the Data Protection Impact Assessment Guidelines provide useful information on circumstances in which a Data Protection Impact Assessment should be carried out. The Guidelines also contain sample a Data Protection Impact Assessment Tool.


3. Establishment of Regulation Development Taskforce

By a Gazette Notice dated 7th January 2021, the Cabinet Secretary for ICT, Innovation and Youth Affairs appointed a task force and charged with the mandate of development of the draft Data Protection (General) Regulations. The Regulations are expected to clarify various matters in the Act including the thresholds for registration of Data Controllers and Processors.

4. Stakeholder Consultation Forums

The Commissioner has held various stakeholder engagements with various public and private sector groups. The primary objectives of the forums include (i) to communicate the developments in the Data Commissioner’s Office, (ii) to outline the expectations of Data Controllers and Processors and (iii) to receive sector-specific feedback.


The Data Commissioner has settled quickly into the new role and by the look of things, by the end first half of the year the regulations and other useful guidelines will have been finalised. We expect to see enforcement related activity in the second half of the year.

If your organisation handles personal data, you ought to have started your compliance journey by now. If you have not done so, you should as a matter of urgency prioritise compliance. Start by developing an inventory of your personal data and conducting a gap/risk assessment. Thereafter, develop appropriate data privacy policies and processes to ensure compliance. In addition, review current contractual arrangements to ensure that you have embedded adequate data protection provisions. Finally, consider appointing a Data Protection Officer to take the lead in your compliance initiatives.

Leave a Reply

Your email address will not be published. Required fields are marked *

To Top