The much-awaited regulations for the implementation of the Data Protection Act, 2019 (the DPA), which were gazetted in January, have been approved and are now in force.


14 February 22

The regulations are a set of three and comprise of:

  • the Data Protection (General) Regulations, 2021 (the General Regulations);
  • the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Registration Regulations); and
  • the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (the Complaints Regulations).

The DPA itself has been in force since 2019 and parties are expected to be compliant with it.

These regulations cater for the procedural aspects of the DPA, and cover a wide spectrum from the transfer of personal data, to how data subjects’ rights should be provided for, what the thresholds and requirements are for the registration of data controllers and data processors, how complaints relating to infringements and contraventions of the DPA will be handled and how enforcement procedures will be undertaken.

With the regulations in place, businesses should have a greater understanding of what is required of them to ensure that they are compliant with the law. At the same time, they can expect heightened scrutiny by the Office of the Data Protection Commissioner (ODPC) which is expected to be checking on data protection compliance; necessitating businesses to rethink their operating models, particularly those that are reliant on the processing of personal data such as those in e-commerce, financial services, hospitality and the health sector.

Below, are the pertinent provisions of the regulations.

1. The General Regulations
The General Regulations provide for the various instances which trigger obligations for data controllers and data processors to data subjects. Additionally, the General Regulations provide for restrictions on the use of personal data for commercial purposes as well as provide for exemptions under the DPA, which include data processing in relation to national security and public interest.

2. The Registration Regulations
The Registration Regulations operationalise the requirement for data processors and data controllers to register with the ODPC, and are set to come into force 6 months from the date of publication, which the ODPC says is in July 2022. Registration is meant to take place online on the ODPC’s website.

3. The Complaints Regulations
The Complaints Regulations primarily deal with the procedure for lodging a complaint with the ODPC. Generally, a data subject has the option of either lodging a complaint orally, through electronic channels of communication or by any other appropriate means, or in person. Additionally, the Complaints Regulations provide for the issuance of enforcement and penalty notices, as contemplated under the DPA.

The regulations add to the previously issued Guidance Notes on Data Protection Impact Assessments, Consent and the ODPC’s Complaints Management Manual in providing much-needed clarity with respect to the obligations of data controllers and data processors.

Over the course of the next few days, we will be sharing a comprehensive analysis of the data protection regulations, the guidance notes, as well as the complaints management manual, and their impact on doing business in Kenya.

Should you have any questions on this legal alert, or need any advice in relation to the Data Protection Regulations, please do not hesitate to reach out to Sonal TejparAnne Kiunuhe or Wangui Kaniaru.

The content of this alert is intended to be of general use only and should not be relied upon without seeking specific legal advice on any matter.