The Kenya Data Protection Act (KDPA) came into force in 2019. The Office of the Data Protection Commissioner (ODPC) began active enforcement from 2023. By 2026, fines are real, registration is being checked, and the 'we didn't know' defence is no longer available.
If your business collects, stores or processes personal data of Kenyan residents โ customer names, phone numbers, national IDs, medical records, transaction history โ you are a Data Controller or Data Processor under the KDPA. And you are required to comply.
What compliance actually requires
Most Kenyan businesses think KDPA compliance is a form you file with the ODPC. It is not. Compliance is an ongoing operational state involving policy, process, technology and staff behaviour.
โRegistration: Data Controllers and Processors must register with the ODPC
โPrivacy Policy: documented, specific, and accessible to data subjects
โData mapping: you must know what data you collect, where it lives, and who can access it
โConsent: explicit consent required before collecting personal data
โRetention policy: defined periods โ you cannot keep data indefinitely
โSecurity controls: technical measures to protect data (encryption, access controls, audit logging)
โBreach response: documented plan + ODPC notification required within 72 hours
โData subject rights: process for access requests, corrections, and deletions
Who needs to worry about this?
The KDPA applies regardless of business size. If you process personal data of Kenyan residents, you are in scope. That includes:
โRetail businesses with customer loyalty programmes or payment records
โHealthcare providers โ patient data is the highest-sensitivity category
โHotels collecting guest information
โSACCOs and microfinance institutions
โAny business with employees in Kenya
โOnline platforms and mobile apps with Kenyan users
โCompanies processing M-Pesa transaction data
Special categories of data โ health information, biometric data, financial data and national ID numbers โ attract higher scrutiny and stricter requirements. If your business handles any of these, compliance is not optional.
What the ODPC actually checks
ODPC enforcement has focused on larger organisations so far, but the Act applies to all businesses. What auditors and investigators typically look for:
โNo ODPC registration
โNo Privacy Policy or a generic one copied from the internet
โNo documented data retention or deletion policy
โPersonal data accessible to staff who don't need it
โNo record of how data was collected or what consent was given
โNo breach response plan โ or worse, a breach that wasn't reported
The practical steps to get compliant
โStep 1: Data audit โ map what personal data you collect and where it goes
โStep 2: Gap analysis โ identify what's missing against KDPA requirements
โStep 3: Register with the ODPC (Data Controller or Processor registration)
โStep 4: Write and publish a proper Privacy Policy
โStep 5: Implement technical controls โ encryption, access control, audit logging
โStep 6: Train staff โ what counts as personal data and how to handle requests
โStep 7: Establish breach response procedures and notification process
KDPA compliance isn't a one-day project. But it doesn't have to take months either. A structured engagement covering audit, gap analysis, policy writing and technical controls can be completed in 2โ4 weeks for most Kenyan SMBs.
// NOT SURE WHERE YOU STAND?
Get a free IT & security check.
We identify the gaps and tell you exactly what to fix first.
