- The Data Protection (Conduct of Compliance Audit) Regulations, 2024
- The Data Sharing Code (Guidance Note)
In this update, we focus on the Data Protection (Conduct of Compliance Audit) Regulations. Our next update will cover the Data Sharing Code.
- establish a structured framework for conducting data protection audits
- promote audit quality and consistency
- establish accreditation criteria for data protection auditors
3. Initiation of Audits: The ODPC may conduct a data protection audit on its own, outsource the conduct of the audit or affirm a data protection audit report submitted to it by an accredited auditor. In addition, a data controller or processor may initiate audits on their own volition.
- upon receiving a complaint regarding an entity’s data protection practice
- as part of broader regulatory investigation
- based on a risk assessment; or
- in response to a perceived or real privacy risk or data breach notification
Prior to initiating an audit, the Data Commissioner shall provide a 30-day notice to the data controller or data processor.
- proactively assess their data protection compliance posture; or
- as part of a corrective measure following a data breach or other data protection concerns.
A data controller or processor initiating a voluntary audit may engage an auditor accredited under the Act to conduct the audit.
- Firm/establishment details
- Proof of academic and professional qualifications in data protection.
- Relevant experience in data protection audits.
- Evidence of adequate professional indemnity cover.
The ODPC will maintain a public register of accredited auditors and may reject or revoke an application for accreditation.
- developing a detailed audit plan outlining the methodology, scope and timeline for the audit.
- conducting relevant interviews with data controllers or processors
- reviewing relevant documentation and records related to data processing activities including:
- data protection policies and procedures
- records of data processing activities
- data security measures and records of data subject requests and responses.
The auditors may also perform necessary tests or assessments to evaluate compliance with the requirements of the Act.
6. Data Controller Responsibilities in the Audit Process: Data controllers or data processors must provide the auditor with reasonable access to all relevant information and documentation necessary for conducting the audit, designate a contact person and fully cooperate with the auditor to address any non-compliance issues.
7. The Auditor’s Responsibilities: Accredited auditors must: –
- conduct the audit in accordance with professional standards and best practices.
- plan the scope of the audit effectively based on specific needs
- employ appropriate audit methodologies to assess compliance with data protection requirements
- maintain confidentiality and security of all information received during the audit process.
- Avoid conflict of interests.
8. Reporting Audit Findings: Auditors must prepare a written audit report detailing the scope and methodology of the audit, as well as the findings and recommendations for corrective action. The data controller must receive the report and be given a reasonable timeframe to respond to the findings and recommendations.
9. Enforcement Actions: Following an audit, the Data Commissioner may: –
- issue recommendations for improvement to the data controllers or processors,
- issue enforcement or penalty notices requiring the data controller to take specific corrective action
- initiate further investigation for non-compliance
10. Cooperation and Confidentiality: The Data Commissioner, the auditor, and the data controller or data processor shall all cooperate in a professional and timely manner throughout the audit process. All information obtained in the audit shall be treated as confidential except where disclosed with the authorisation of the data controller or processor or required to be disclosed by law. In addition, auditors must implement appropriate safeguards to protect the confidentiality of personal data accessed during the audit process
11. Reporting by the ODPC: The ODPC shall prepare and publish an annual report on the implementation of the Regulations, including the number of audits conducted and the audit findings and actions taken. The report shall be made available to the public to promote transparency and accountability.
Next Steps:
The draft regulations are currently undergoing public participation before being tabled in Parliament for adoption. We will keep you informed of further developments. In the meantime, we recommend that you continue enhancing your privacy compliance program to minimise regulatory risks.
New Book Alert!
- A detailed analysis of key data protection cases in Kenya.
- Insights into regulatory enforcement trends.
- Lessons for businesses, legal professionals, and compliance officers.