Educational Information Only
This page provides general educational information about cybersecurity laws and regulations. It does not constitute legal advice, legal interpretation, or a substitute for professional legal counsel. Laws change frequently. Always consult a qualified attorney and verify current requirements directly from official government sources before making compliance decisions. DecipherU is not a law firm and does not provide legal services.
Data Protection Act, 2019 (Kenya)
The Kenya Data Protection Act, 2019 (Act No. 24 of 2019) was assented to on November 8, 2019 and commenced on November 25, 2019. The Act is published on Kenya Law (kenyalaw.org) and is the framework data protection statute for the Republic of Kenya. It implements Article 31(c) and (d) of the 2010 Constitution of Kenya, which establishes a right to privacy that includes protection of personal information. The statute is administered by the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke, which was operationalized in late 2020 with the appointment of Immaculate Kassait as the first Data Commissioner. The ODPC has issued three sets of subsidiary regulations: the Data Protection (General) Regulations 2021, the Data Protection (Compliance and Enforcement) Regulations 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021. Those regulations carry the day-to-day operational detail, including registration thresholds, complaint procedures, and enforcement steps. The Act applies to a data controller or processor established or ordinarily resident in Kenya that processes personal data while in Kenya, and to a controller or processor outside Kenya that processes personal data of data subjects located in Kenya. That extraterritorial reach pulls in foreign SaaS vendors that target Kenyan customers, even when they have no local entity. Registration with the ODPC is mandatory for controllers and processors above thresholds set by the Registration Regulations 2021. The regulations exempt entities with annual turnover or revenue below KES 5 million and fewer than 10 employees, unless they process certain high-risk categories such as data of children, sensitive personal data at scale, health data, financial data, or fall into listed sectors including telecommunications, financial services, education, betting, transport, and direct marketing. Data subject rights under Sections 26 and 34 include the right to be informed, the right to access, the right to object, the right to correction, the right to deletion, and the right to portability. Lawful processing bases under Section 30 include consent, contract performance, legal obligation, vital interests, public interest, and legitimate interest. Sensitive personal data under Section 44 (health, genetic, biometric, child data, sex life, sexual orientation, race, ethnicity, religion, political opinions, marital status, family details, criminal record) requires either explicit consent or another listed condition. Breach notification under Section 43 requires the controller to notify the Data Commissioner within 72 hours of becoming aware of a personal data breach that affects rights and freedoms of data subjects, and to notify affected data subjects without unreasonable delay when the breach poses a real risk of harm. The ODPC has imposed administrative fines on multiple controllers since 2022, including a KES 5 million fine against Oppo Kenya in 2023 and earlier fines against digital lenders for unauthorized contact-list scraping. Kenya is the operational center of East Africa for many multinationals, hosts M-PESA, and is the headquarters location for African Union telecommunications projects, which means the Kenya DPA functions as the privacy floor for cross-border services across Kenya, Tanzania, Uganda, and Rwanda for many vendors. The Act is closely modeled on GDPR principles, so EU-aligned controls transfer well.
Quick Reference
Key Requirements
Section 18 (Registration)
Register the controller and each processor with the ODPC through the registration portal at odpc.go.ke and pay the prescribed fee. Renew registration every two years.
Section 25 (Principles)
Process personal data lawfully, fairly, and in a transparent manner. Limit processing to a specified, explicit, and legitimate purpose. Minimize data, keep it accurate, time-limit retention, and protect confidentiality, integrity, and accessibility.
Section 28 (Notice)
Provide a privacy notice to data subjects before collection that lists the identity of the controller, the purpose, the legal basis, recipients, retention period, data subject rights, and the right to lodge a complaint with the ODPC.
Section 30 (Lawful basis)
Process personal data only under a lawful basis: consent, contract, legal obligation, vital interests, public interest, or legitimate interests. Record the basis for each processing activity.
Section 32 (Consent)
When relying on consent, obtain a freely given, specific, informed, and unambiguous indication. Maintain an audit-ready consent record and allow withdrawal at any time.
Sections 26, 34 (Data subject rights)
Build a request workflow for the rights to information, access, rectification, deletion, restriction, portability, and objection. Respond within seven days of receipt under Regulation 13 of the General Regulations 2021.
Section 41 (Processor agreements)
Execute a written contract with each processor that specifies subject matter, duration, nature, purpose, types of data, data-subject categories, controller obligations, security measures, sub-processor consent, and assistance with rights requests.
Section 42 (Security)
Implement appropriate technical and organizational measures, including pseudonymization, encryption, access controls, resilience, and regular testing of effectiveness. Conduct an annual security review.
Section 43 (Breach notification)
Notify the Data Commissioner within 72 hours of becoming aware of a breach that affects rights and freedoms. Notify affected data subjects without unreasonable delay when there is a real risk of harm. Maintain a breach register.
Section 44 (Sensitive data)
Process health, genetic, biometric, child, sexual orientation, race, ethnicity, religion, political opinions, marital and family data only under explicit consent or another condition listed in the section. Apply additional safeguards.
Section 49 (Cross-border transfer)
Limit cross-border transfers to jurisdictions with appropriate safeguards, contractual clauses, binding corporate rules, or explicit consent. Notify the ODPC of transfers of sensitive data outside Kenya.
Section 31 (DPIA)
Conduct a data protection impact assessment before processing that is likely to result in high risk to rights and freedoms, including large-scale sensitive data processing and systematic monitoring.
Section 24 (Data Protection Officer)
Appoint a Data Protection Officer when required by ODPC guidance, including for public bodies, large-scale sensitive data processing, and systematic monitoring. Register the DPO with the ODPC.
Regulation 17, Compliance and Enforcement Regulations 2021
Track ODPC enforcement notices, registration deadlines, and public determinations on odpc.go.ke. Maintain a 30-day response plan because that is the standard window for compliance directives.
How Does Kenya DPA Affect Cybersecurity Careers?
Kenya is the regional technology center of East Africa and the home market for M-PESA, Safaricom, KCB Group, and most multinational regional offices for the East African Community. GRC analysts run Kenya DPA registration, data protection officer appointments, DPIA workflows, breach reporting to the ODPC, and cross-border transfer governance. Privacy engineers build consent capture, rights-request portals, encryption at rest and in transit, and breach detection that hits the 72-hour clock. Compared to GDPR, the Kenya DPA is closely aligned and slightly narrower (no explicit one-stop-shop, smaller fine ceiling, slimmer profiling rules). Compared to CCPA, Kenya is closer to GDPR than to a notice-and-opt-out model. Compared to NIST CSF 2.0, the Kenya DPA is enforceable and prescriptive on rights and breach timelines, while NIST CSF 2.0 is voluntary guidance, so most Kenya programs run NIST CSF 2.0 or ISO/IEC 27001 as the security control backbone with the DPA as the legal layer. Career paths affected include /careers/grc-analyst and /careers/privacy-engineer. The GRC and Compliance Fundamentals course covers Kenya DPA registration, ODPC enforcement, and East African cross-border transfers in the Africa privacy module.
How Does Kenya DPA Affect Cybersecurity Sales?
ODPC enforcement has been active since 2022 with multi-million-shilling administrative fines and public registers of decisions, which gives sellers a real local enforcement story when calling on Kenyan banks, telcos, digital lenders, insurers, and SaaS vendors. Buyers need consent management, DPIA tooling, breach detection, registration portal management, and DPO-as-a-service. Pan-African vendors can use Kenya DPA controls as the regional baseline for Tanzania, Uganda, and Rwanda because those neighbors are still implementing or amending their statutes.
Cybersecurity Roles That Work With Kenya DPA
Related Cybersecurity Certifications
Related Cybersecurity Laws
Read the full text of Kenya DPA at the official source: https://www.odpc.go.ke/dpa-act/
Frequently Asked Questions
What is Kenya DPA in cybersecurity?
The Kenya Data Protection Act, 2019 (Act No. 24 of 2019) was assented to on November 8, 2019 and commenced on November 25, 2019. The Act is published on Kenya Law (kenyalaw.org) and is the framework data protection statute for the Republic of Kenya. It implements Article 31(c) and (d) of the 2010 Constitution of Kenya, which establishes a right to privacy that includes protection of personal information. The statute is administered by the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke, which was operationalized in late 2020 with the appointment of Immaculate Kassait as the first Data Commissioner. The ODPC has issued three sets of subsidiary regulations: the Data Protection (General) Regulations 2021, the Data Protection (Compliance and Enforcement) Regulations 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021. Those regulations carry the day-to-day operational detail, including registration thresholds, complaint procedures, and enforcement steps. The Act applies to a data controller or processor established or ordinarily resident in Kenya that processes personal data while in Kenya, and to a controller or processor outside Kenya that processes personal data of data subjects located in Kenya. That extraterritorial reach pulls in foreign SaaS vendors that target Kenyan customers, even when they have no local entity. Registration with the ODPC is mandatory for controllers and processors above thresholds set by the Registration Regulations 2021. The regulations exempt entities with annual turnover or revenue below KES 5 million and fewer than 10 employees, unless they process certain high-risk categories such as data of children, sensitive personal data at scale, health data, financial data, or fall into listed sectors including telecommunications, financial services, education, betting, transport, and direct marketing. Data subject rights under Sections 26 and 34 include the right to be informed, the right to access, the right to object, the right to correction, the right to deletion, and the right to portability. Lawful processing bases under Section 30 include consent, contract performance, legal obligation, vital interests, public interest, and legitimate interest. Sensitive personal data under Section 44 (health, genetic, biometric, child data, sex life, sexual orientation, race, ethnicity, religion, political opinions, marital status, family details, criminal record) requires either explicit consent or another listed condition. Breach notification under Section 43 requires the controller to notify the Data Commissioner within 72 hours of becoming aware of a personal data breach that affects rights and freedoms of data subjects, and to notify affected data subjects without unreasonable delay when the breach poses a real risk of harm. The ODPC has imposed administrative fines on multiple controllers since 2022, including a KES 5 million fine against Oppo Kenya in 2023 and earlier fines against digital lenders for unauthorized contact-list scraping. Kenya is the operational center of East Africa for many multinationals, hosts M-PESA, and is the headquarters location for African Union telecommunications projects, which means the Kenya DPA functions as the privacy floor for cross-border services across Kenya, Tanzania, Uganda, and Rwanda for many vendors. The Act is closely modeled on GDPR principles, so EU-aligned controls transfer well.
How does Kenya DPA affect cybersecurity careers?
Kenya is the regional technology center of East Africa and the home market for M-PESA, Safaricom, KCB Group, and most multinational regional offices for the East African Community. GRC analysts run Kenya DPA registration, data protection officer appointments, DPIA workflows, breach reporting to the ODPC, and cross-border transfer governance. Privacy engineers build consent capture, rights-request portals, encryption at rest and in transit, and breach detection that hits the 72-hour clock. Compared to GDPR, the Kenya DPA is closely aligned and slightly narrower (no explicit one-stop-shop, smaller fine ceiling, slimmer profiling rules). Compared to CCPA, Kenya is closer to GDPR than to a notice-and-opt-out model. Compared to NIST CSF 2.0, the Kenya DPA is enforceable and prescriptive on rights and breach timelines, while NIST CSF 2.0 is voluntary guidance, so most Kenya programs run NIST CSF 2.0 or ISO/IEC 27001 as the security control backbone with the DPA as the legal layer. Career paths affected include /careers/grc-analyst and /careers/privacy-engineer. The GRC and Compliance Fundamentals course covers Kenya DPA registration, ODPC enforcement, and East African cross-border transfers in the Africa privacy module.
What are the penalties for Kenya DPA non-compliance?
Administrative fines up to KES 5,000,000 or 1% of the annual turnover of the preceding financial year, whichever is lower, under Section 63. Criminal offences under Sections 72 to 73 carry fines up to KES 3,000,000 or imprisonment up to 10 years, or both. Civil remedies and compensation are available under Section 65.
Educational Information Only
This page provides general educational information about cybersecurity laws and regulations. It does not constitute legal advice, legal interpretation, or a substitute for professional legal counsel. Laws change frequently. Always consult a qualified attorney and verify current requirements directly from official government sources before making compliance decisions. DecipherU is not a law firm and does not provide legal services.
Sources
Explore Related Cybersecurity Resources
Was this page helpful?
Cybersecurity law and regulation summaries are educational plain-language descriptions, not legal advice. Statutes, regulations, and enforcement guidance change frequently. Consult qualified legal counsel and verify against the official published text before relying on any summary for compliance or career decisions.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.