Data Protection Act 2019 | Kenya Business directory

  1. You are here:
  2. Broad Notes
  3. Directory
  4. Kenya Business Directory
  5. Compliance
  6. Data Protection Act 2019
Data Protection Act 2019

Data Protection Act 2019

Name

The Data Protection Act (DPA) 2019

Status

Act of parliament, passed into Law in 2019 by the retired president Uhuru Muigai Kenyatta

Applicable Predecessor Data Protection Guide

Data Protection Regulation (GDPR) 2018

The European - General Data Protection Regulation (GDPR) passed and adopted in the year 2018 is the most relevant data protection guide that has been borrowed to institutionalise personal data protection for individuals across many countries in Europe and has been borrowed by African states and countries such as the Kenya's, DPA

Custodial Office

Office of the Data Protection Commissioner (ODPC)

According to the Office of the Data Protection Commissioner (ODPC) - Kenya, An Act of Parliament to give effect to Article 31(c) and (d) of the Constitution; to establish the Office of the Data Protection Commissioner; to make provision for the regulation of the processing of personal data; to provide for the rights of data subjects and obligations of data controllers and processors; and for connected purposes.

What is required in processing Personal data

Section 18 of the Data Protection Act, 2019 and Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 require that all public and private organizations and individuals processing personal data register with the ODPC.

Registration commenced on 14 July 2022, using the online application portal developed and managed by the ODPC

The Importance of DPA 2019

It is a right of a data subject to access an effective remedy against a data controller and/or data processor, where they consider that their rights have been violated as a result of the processing of their personal data in non-compliance with the law

The protection of vital interests of the data subject or another natural person is a lawful basis for processing of personal data under the Act. It is also a basis for processing of sensitive personal data where the data subject or another person is hysically or legally incapable of giving consent

The Act seeks to empower individuals to take control of their personal data and to support organisations with their lawful processing of personal data.

Advantages of Data Protection Act

Prevents malicious damage to personal image

Prevents fraud and cybercrimes

Applying strong data protection measures and safeguards not only protects individuals' or customers' personal data, but also your organisation's data. Therefore avoiding considerable problems, which may damage your reputation or your organisations' confidential information.

Purpose of Data Regulations

This includes setting terms for how data is stored, protected, processed, accessed, and used. The agreement also defines what a processor can and cannot do with data. The DPA is a key component of GDPR compliance

Guide to general categories of personal data

Some of the personal data you process can be more sensitive in nature and therefore requires a higher level of protection. The UK GDPR refers to the processing of these data as special categories of personal data. This means personal data about an individual:

  1. race or ethnic origin
  2. political opinions
  3. religious or philosophical beliefs
  4. trade union membership
  5. genetic data
  6. biometric data (where this is used for identification purposes)
  7. health data
  8. sex life; or sexual orientation.

What you need to know

There is a huge amount of data that is in the open platforms such as on websites and some companies had not anticipated or planned well for such laws and guides

The guide does not offer for any excuses and any one calpable will have to be held accountable for the mishandling of any ones personal-data

It is your duty as a data handler to review all your policies to ensure that any amount of data held and processed by any individual or your company or organization is lawful. Think of even activities held by any departmental arm of your company such as the Corporate Social Responsibility (CSR) does not conflict with personal-data rights of an individual or people.

Compliance Approaches

There are huge volumetric data that is collected daily, stored and processed for various purposes. No single human intervention of any nature can ensure full compliance to guides such as the GDPR.

Fortunately, technology and machines are bound to assist in ensuring compliance to data management such as in collecting, storing, processing and assigning rights to parties handling peoples-data while ensuring compliance with the laid down data handling rules and regulations.

The 2 most applicable approaches are

  • Human planning and policy development
  • Adopting an effective Data-Protection technology approach and policy

The next read will be on how to effect this approaches to ensure compliance on the Basis of Data Governance.

Nairobi (34)
Kajiado (4)
Kakamega (2)
Mombasa (2)
Trans Nzoia (1)
Kisumu (1)
Isiolo (1)
Kericho (1)
Kilifi (1)
Kirinyaga (1)
Kisii (1)
Kitui (1)
Kwale (1)
Laikipia (1)
Lamu (1)
Makueni (1)
Kiambu (1)
Mandera (1)
Marsabit (1)
Meru (1)
Muranga (1)
Nakuru (1)
Nandi (1)
Narok (1)
Nyamira (1)
Nyandarua (1)
Nyeri (1)
Samburu (1)
Siaya (1)
Tana River (1)
Tharaka Nithi (1)
Turkana (1)
Uasin Gishu (1)
Wajir (1)
West Pokot (1)
Baringo (1)
Bomet (1)
Bungoma (1)
Elgeyo Marakwet (1)
Homa Bay (1)
Embu (1)
Garissa (1)
Vihiga (1)
Migori (1)
Taita Taveta (1)

© BroadNotes 2026, All Rights Reserved.

Contact us Contact us
Ok
This website uses cookies. The continued use of the website implies consent to the use of cookies