window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6'); window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6');
DataHub Consulting, Experts in Analytics, Business Intelligence, and Compliance 1200 627

Written by

Date

6 March 2024

Category

The number of countries with data protection laws in growing year on year. The African region is also gaining momentum with the number of countries that have enacted their own data protection law. At the time of this article 36 African countries out of the 55 have enacted a data protection law. In this article we will talk about the law regulating the data protection in Kenya. We will take a deep dive into some of the core topics and compare the Kenya Data Protection Act 2019 published in the Kenya Gazette Supplement No 181 (Act No 24) to the EU GDPR.

The Kenya Data Protection Act (DPA) was enacted and came into effect on 25th November 2019. The legislation aims to safeguard individuals’ privacy rights and regulate data processing within Kenya. Subsequently, several regulations related to the DPA were also introduced, including:

  • Data Protection (General) Regulations, 2021
  • Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021
  • Data Protection (Compliance and Enforcement Procedures) Regulations, 2021

The above are supplementary information and regulations to help develop the implementation of the Kenya DPA 2019.

In this article we will provide an informed assessment of the law, comparing it to the EU Regulation 2016/679 (General Data Protection Regulation, “GDPR”).

Below is an overview of the sections covered in the law:

  • Part 1 – Preliminary.
  • Part 2 – Establishment of the office of The Data Protection Commissioner.
  • Part 3 – Registration of Data Controllers and Data Processors.
  • Part 4 – Principles and Obligations of Personal Data Protection.
  • Part 5 – Grounds for Processing of Sensitive Personal Data.
  • Part 6 – Transfer of Personal Data Outside of Kenya.
  • Part 7 – Exemptions.
  • Part 8 – Enforcement Provisions.
  • Part 9 – Financial Provisions.
  • Part 10 – Provision on Delegated Powers.
  • Part 11 – Miscellaneous Provisions.
Kenya Data Protection Act

Click the image to download a copy of the Kenya Data Protection Act.

Section 2 of the Kenya Data Protection Act provides a list of definitions for key terms used. We have included some of these terms in this article for understanding. We have included the text in the law and also where necessary provided a clear plain English definition.

Data Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.

Data Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

Data Subject
An identified or identifiable natural person who is the subject of personal data.
In simple terms this is the person who the personal information relates too.

Personal Data
Any information relating to an identified or identifiable natural person.
Examples of personal data would include: name, address, date of birth, national identity number, passport number, health records, voice, fingerprints, eye retina etc.

Processing
Any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means.

Consent
Any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.
Consent should be freely given and a affirmative action like a signature, or clicking a consent button with an online order. Consent should not be pre-ticked boxes, or automatic opt-in without the data subject being aware.

Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Sensitive Data
Data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.

Biometric Data
Personal data resulting from specific technical processing based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, retinal scanning and voice recognition.

Health Data
Data related to the state of physical or mental health of the data subject and includes records regarding the past, present or future state of the health, data collected in the course of registration for, or provision of health services, or data which associates the data subject to the provision of specific health services.

Anonymisation
The removal of personal identifiers from personal data so that the data subject is no longer identifiable.

Pseudonymisation
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
This is a method of masking the identity of the data subject to provide additional safeguards.

Register
The register kept and maintained by the Data Commissioner under section 21

Kenya has appointed the Data Protection Commissioner (‘the Commissioner’) that will oversee and govern the law and subsequently the Office of the Data Protection Commissioner (‘ODPC’) has been setup. The Data Commissioner was formally appointed on 16 November 2020.

With any new law there needs to be clarity and guidance from the governing body, and the ODPC has already provided guidance note for:

With the law established we don’t anticipate any further significant changes to the data protection laws in Kenya. if there are any additional guidance notes, they will be published here: Guidelines – OFFICE OF THE DATA PROTECTION COMMISSIONER KENYA (odpc.go.ke)

There are several similarities between the EU GDPR and the Kenya Data Protection Act, including the provisions of monetary penalties and the types of mitigating factors that can be taken into account. However, key differences between the pieces of legislation are that the Kenya DPA provides for potential prison terms, that individuals may be held liable for offences, and that the amount of fines that may be issued differ.

The DPA gives the Office of the Data Commissioner the power to impose administrative fines for failure to comply with the DPA.

The Office of the Data Commissioner may impose a fine of up to KES. 5 million (approx. USD. 50,000) or, in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower. The fine is payable to the Office of the Data Commissioner.

Failure to comply with an order of the Office of the Data Commissioner is considered an offence under the DPA.

There are certain criminal sanctions under the Kenya DPA that can be applied. An offence under the DPA carries a general penalty of a fine not exceeding KES. 3 million (USD. 30,000) or an imprisonment term not exceeding ten years, or both.

The Data Protection Act in Kenya is applicable to Data Controllers and Data Processors who process personal data of data subjects located within the country of Kenya and who are either established or resident in or outside of Kenya. The Kenya Data Protection Act has both territorial and extraterritorial scope of application, which is one of the similarities with the EU GDPR.

So what does this mean…
it applies not only to data processors and controllers within Kenya, but also to those outside Kenya who process the personal data of individuals located in Kenya.

Whether a data processor or controller is a resident or non-resident, as long as they handle the data of Kenyan data subjects, the Act is applicable. This provision ensures that the protection of personal data extends beyond the Kenyan borders, emphasizing the importance of safeguarding individuals’ privacy rights globally.

So exactly what does this mean. The law applies:

  • If the Data Controllers or Data Processors who are established or ordinarily resident in Kenya and process personal data in Kenya.
  • If the Data Controllers and Data Processors have a legal presence outside of Kenya but process the personal data of data subjects located in Kenya.

Lets use two examples to show what this means, .

  • The act would apply to a retail company that are a legal entity within Kenya and they process the personal information of customers.
  • The Act would apply to an airline that does not have a legal presence in Kenya, but if a Kenyan data subject is a passenger of the airline, and they process the personal data of the data subject, then the Kenya data protection act applies. This is know as extraterritorial scope.

The world is increasingly interconnected and a lot of transactions happen between countries. This means that data needs to be shared from one location to another. This data can include personal information. Before a Data Controller or Processor transfers data outside Kenya, they need to ensure that the transfer is carried out using at least one of the following:

  • Appropriate data protection safeguards.
    • A transfer is allowed if you have given the Data Commissioner proof of the appropriate safeguards that you have put in place with respect to the security and protection of personal data.
  • An adequacy decision made by the Data Commissioner.
    • The transfer can happen where the data commissioner has deemed that the destination country has a data protection laws greater or equal to the level of protection of the Kenya data protection law.
  • Transfer as a necessity. (performance of a contract etc)
    • You should be able to demonstrate that the transfer is necessary for the performance of a contract between the data subject and the data controller or data processor
  • Consent of the data subject.
    • The data subject is aware that their personal data will be transferred outside of Kenya and the data subject has given consent for this to happen.

Please note that if the personal data to be transferred outside of Kenya and it contains sensitive data, then Consent will need to be obtained.

Section 18 to 21 details where Data Controllers or Data processors need to register with the commission before processing any personal data covered under the Kenya data protection act. Please note, data controllers and data processors with an annual turnover of below KES. 5 million (approx. USD. 50,000) or annual revenue of below KES. 5 million (approx. USD. 50,000) and have less than 10 employees are exempt from the mandatory requirement for registration.

Where registration is required then Section 19 states, Applications shall provide the following information:

  • A completed application form;
  • Receipt for the prescribed registration fees;
  • A copy of the establishment or incorporation documents;
  • Details of the data controllers or data processors including name and contact details;
  • A description of the purpose for which the personal data is to be processed;
  • The category of data subjects, to which the personal data relates;
  • A general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data;
  • Any measures to indemnify the data subject from unlawful use of data by the data processor or data controller;
  • Any other details as may be prescribed by the Data Commissioner

I would recommend the use of a Record of Processing Activity (ROPA) to be created. This will provide the data controller with a full understanding of the each data process. In the article further down I talk more about a record of processing activity and why its best practice with any data protection framework. This ROPA document will provide all the information needed to be shared with the commissioner during registration.

Once the application for registration is processed and approved, a Certificate of Registration will be issued, valid for 24 months from the date of issuance


Section 21 states that the commissioner will maintain a record of data controllers and data processors. This is common practice amongst modern data protection laws. For example with the UK Data Protection Act 2018 (UK GDPR), all data controllers register and pay a fee to the Information Commissioners Office (ICO). The ICO then maintain a register.
The Kenya Data protection Act does not state that a fee will be charged for registration.

A Record of Processing activity allows for a data controller to fully understand in detail all the individual processes that include personal data. In our opinion having a ROPA document that is kept up to date is essential for any data protection framework. The Kenya Data Protection Act does NOT require the data controller to explicitly create a record of processing activity. Datahub Consulting would always recommend creating a record of processing activity as best practice guidance even of the applicable law goes not explicitly state this.

What to include in the ROPA document:

  • Name of the process
  • What personal information is collected.
  • How its collected.
  • Who has access to it.
  • Retention period.
  • Lawful processing reason.
  • How consent was gained.
  • If the personal information includes sensitive data, or the data of children.
  • Who and how is it shared, including any cross border transfers.

Section 39 requires Data Controllers and Data Processors to retain personal data for only for as long as may reasonably necessary for the purpose. There is no specific requirement for Data Controllers and Processors to maintain a data retention schedule but in our opinion any good data protection framework would include a retention schedule. This will allow for better management of when and how personal data will be deleted after the given retention period ends.

Data protection Impact Assessments (DPIA) are a method assess and mitigate any risks associated with a process that includes personal data. In the Kenya data protection act section 31 states that a DPIA will be carried out where the processing of personal data may likely result in high risk to the rights and freedoms of a data subject.
The Kenya Data Commissioner’s office have released information guidance on the DPIA. You can download and read the guidance here: ODPC Guidance Note on Data Protection Impact Assessment – OFFICE OF THE DATA PROTECTION COMMISSIONER KENYA

The act requires the data controller or data processor to submit the DPIA 60 days before commencement of the process. But as the law has recently been introduced then the data commissioners office will take this into consideration for any late submissions.

Section 7 (Purpose of guidelines) of the Guidance Notes for Data protection Impact Assessments states that the Impact assessment will be carried out and submitted to the Data Commissioners Office.

In our evaluation we found the guidance to be very informative and provided clear instruction on completing the DPIA. Complete with example template risk assessments and sign off records.

With the EU GDPR then the DIPA’s don’t need to be submitted to the Supervisory Authority. They just need to be carried out and approved by the DPO. Then they are filed and a log kept by the organisation for reference. The supervisory Authority may want a copy sent to them if there is a data breach or a complaint raised against the organisation.

The EU GDPR came into law in May 2018 and is considered one of the front runners of modern data protection laws. In todays world of internet sales outgrowing high street sales, international travel with digital passports, facial recognition used more and more etc, older data protection laws are not fit for purpose. The EU GDPR was seen by the world as the benchmark for data protection law to take modern living into consideration.

With that in mind, in this article we plan to look at the Kenya data protection law comparing it to the EU GDPR.

Section 25 of the Kenya DPA identifies the core principles of the law and how both data controllers and data processors can process the personal information. Lets have a look at these in a bit more detail:

What the Kenya DPA says…What the EU GDPR says…
The Kenya Data Protection Act of 2019 outlines several principles that guide the processing of personal data. These principles are essential for safeguarding individuals’ privacy and ensuring fair and transparent data handling. Here are the key principles:

25 (a) Right to Privacy
Processed in accordance with the right to privacy of the data subject.

25 (b) Lawfulness, Fairness, and Transparency
Data controllers and processors must handle personal data in a lawful and transparent manner. They should provide clear information to data subjects about how their data will be processed.

25 (c ) Purpose Limitation
Personal data should only be processed for explicit, specified, and legitimate purposes. Organizations must not use data beyond what is necessary for the intended purpose.

25 (d) Restrictions on Processing
Adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed. Organizations must comply with restrictions on processing personal data, such as not using it for purposes incompatible with the original purpose.

25 (e) Data Minimization
Personal data collected should be adequate, relevant, and limited to what is necessary for the specific processing purposes. Unnecessary data should not be retained.

25 (f) Accuracy
Organizations must ensure that the personal data they hold is accurate, up-to-date, and relevant. Data subjects have the right to request corrections if inaccuracies are identified.

25 (g) Anonymization
Kept in a form which identifies the data subjects
for no longer than is necessary for the purposes
which it was collected.
Where possible anonymize personal data is advised and is considered best practice within data protection frameworks.

25 (h) International Transfers
Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject
The General Data Protection Regulation (GDPR) is designed to protect individuals’ privacy and regulate the processing of personal data. Here are the key principles outlined by the GDPR:

Lawfulness, Fairness, and Transparency
Data processing must have a legal basis (such as consent or contractual necessity). Individuals must be informed about how their data will be processed in a clear and transparent manner.

Purpose Limitation
Personal data should only be collected for specific, explicit, and legitimate purposes. Organizations must not use data beyond what is necessary for those purposes.

Data Minimization
Collect only the minimum amount of personal data necessary for the intended purpose. Avoid excessive or irrelevant data collection.

Accuracy
Ensure that personal data is accurate, up-to-date, and relevant. Correct inaccuracies promptly when identified.

Storage Limitation
Personal data should not be retained longer than necessary for the specified purpose. Implement appropriate retention periods.

Integrity and Confidentiality
Protect personal data against unauthorized access, loss, or destruction. Implement security measures to ensure data confidentiality and integrity.

Accountability
Organizations are responsible for compliance with the GDPR. Maintain records of data processing activities. Demonstrate compliance through policies, procedures, and documentation.











As you can see between the Kenya data protection act 2019 and the EU GDPR there are similarities. Sections 25 (g) and 25 (h) defines that personal information should my anonymized where possible, and should not be transferred over borders where possible. These topics are covered in the EU GDPR but are not detailed in Article 5 (Principles relating to processing of personal information).

For any data controller to process the personal information of data subjects then they have to have a lawful reason to do so.

Article 6 of the EU GDPR provides the legal bases for processing the personal information of data subjects. Within the Kenya data protection act there are similar legal reasons that are detailed in Section 30 of the Kenya Data Protection act 2019. In the table below we will compare the Kenya DPA to the EU GDPR.

What the Kenya DPA says…What the EU GDPR says…
30.1 (a) Consent
The data subject consents to the processing for one or more specified purpose. Like the EU GDPR consent is the main lawful processing reason.

30.1 (b.1) Contractual
For the performance of a contract to which
the data subject is a party or in order to take
steps at the request of the data subject before
entering into a contract.

30.1 (b.2) Legal Obligation
For compliance with any legal obligation to
which the controller is subject.

30.1 (b.3) Data Subject Interest
In order to protect the vital interests of the
data subject or another natural person.

30.1 (b.4) & 30.1 (b.6) Public Interest
For the performance of a task carried out in
the public interest or in the exercise of
official authority vested in the controller.

30.1 (b.5) Public Authority
The performance of any task carried out by a
public authority. This would be used

30.1 (b.7) Legitimate Interest
For the legitimate interests pursued by the
data controller or data processor by a third
party to whom the data is disclosed, except
if the processing is unwarranted in any
particular case having regard to the harm
and prejudice to the rights and freedoms or
legitimate interests of the data subject

30.1 (b.8) Legal Bases for Other Instances
For the purpose of historical, statistical,
journalistic, literature and art or scientific
research.
Consent
the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

Contractual
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Legal Obligation
processing is necessary for compliance with a legal obligation to which the controller is subject.

Vital Interest
processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Public Interest
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Legitimate Interest
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.













Please note that the wording of section 30.1 (b.4) & 30.1 (b.6) are both relating to processing of personal data in relation to public interest.

Under the Kenya Data Protection Act, 2019, data subjects are granted several rights concerning their personal data. These rights are designed to give individuals control over their personal data and ensure their privacy is respected.

What the Kenya DPA says…What the EU GDPR says…
26 (a) Right to be Informed
Data subjects have the right to be informed about the collection and use of their personal data. This includes the purposes for processing their data, the recipients or categories of recipients of the data, and the existence of any data transfer to another country or international organization.

26 (b) Right of Access
Data subjects have the right to access their personal data held by a data controller or processor. This includes the right to obtain confirmation as to whether or not personal data concerning them is being processed, accessed, and any other relevant information regarding their data.

26 (c ) Right to Object
Data subjects have the right to object to the processing of their personal data in certain circumstances, including for direct marketing, scientific or historical research, or statistical purposes.

26 (d) Right to Rectification
Data subjects have the right to have inaccurate personal data rectified, or completed if it is incomplete.

26 (e)Right of Deletion
The law states that the data subject has the right of deletion where personal data in false or misleading.
This is not the same as the EU GDPR Right of Erasure.
This is one area where the Kenya data protection act and the EU GDPR are different. The EU GDPR provides a more comprehensive view of data subject right. Allowing for more control for the data subject.

The EU GDPR rights of the data subject are:
1) Right to be Informed.
2) Right of Access.
3) Right to Rectification.
4) Right to be Forgotten.
5) Right to Restrict Processing.
6) Right to Data Portability.
7) Right to Object.
8) Rights in Relation to Automated Decision-Making and Profiling.












With the Kenya Data protection Act do organizations need to have a Data Protection Officer?

What the Kenya DPA says…What the EU GDPR says…
Section 24 provides information on the data protection officer.

Under the Kenya Data Protection Act, it does not explicitly require organizations to appoint a Data Protection Officer (DPO). However, it’s important to note that the Act does outline several obligations for organizations regarding the handling of personal data.

Under the Kenya Data Protection Act, organizations are required to appoint a Data Protection Officer (DPO) if they meet certain criteria. According to the Act, an organization must appoint a DPO if:
1) The organization processes personal data on a large scale; or
2) The organization processes sensitive personal data.
Similarly with the EU GDPR it’s not mandatory for all organizations to have a data protection Officer.

With the legislation there are three points where a data protection officer is mandatory. These are:

1) If the processing is carried out by a public authority or body.

2) If the processing by the data controller or data processor includes regular and systematic monitoring of data subjects on a large scale.

3) If the core processing of the data controller or data processor involves large scale processing of special category data.

Voluntary Appointment of a DPO

If there is no statutory requirement for you to fulfil the role of a DPO then the choice is up to the organisation. All organisations that process personal information of data subjects are required to maintain a level of compliance to safeguard the data of the data subjects. For this reason, most organisations do have a DPO in place.

Datahub would always recommend the appointment of a DPO for their knowledge and guidance on the law. Also, the law can change over time and having a DPO in place can advise the organisation accordingly.

DPOs play crucial roles, including advising data controllers and processors on data processing requirements, ensuring compliance with the Act, facilitating capacity building for staff involved in data processing, and cooperating with relevant authorities on data protection matters.

Want to understand more about the benefits of a Data Protection officer visit our website
Datahub Consulting Data protection Officer Website

The Act and the GDPR have broadly similar security requirements with both establishing principles of Privacy by Default and by Design. They also have comparable data breach notification obligations, such as notifying authorities within 72 hours.

What the Kenya DPA says…What the EU GDPR says…
Data Breach Notification
Data breach notifications are covered in Section 43.

Where personal data is involved in a data breach there are two notifications to consider.
The commissioners office, the ODPC must be notified “without undue delay” and, where feasible, not later than 72 hours after having become aware of the data breach.

If the notification to the ODPC is not made within 72 hours, it must be accompanied by reasons for the delay.

In addition to notifying the ODPC, the data controller must communicate the personal data breach to the data subject(s) without undue delay if the breach is likely to result in a high risk to the rights and freedoms of the data subject.
Data Breach Notification
if a data breach occurs then like the Kenya DPA the data controller must notify the relevant Supervisory Authority (SA). As the EU GDPR applies to a group of countries, each with their own SA, then the Supervisory Authority in the countries where the data breach occurred needs to be notified within 72 hours.

Where the rights and freedoms of the data subject are affected then the data subjects need to be notified without “undue delay”.







Organizations operating in Kenya must ensure they have robust Data Breach incident response plan in place to meet these notification requirements in the event of a data breach.

What the Kenya DPA says…What the EU GDPR says…
In Kenya, the Data Protection Act, 2019 recognizes that children are vulnerable members of society. Therefore, it places importance on safeguarding their personal data from illegal access and misuse. Here are some key points related to children’s personal data under the act.

Who is Considered a Child
Under the act the definition of a child is the same as the Children Act 2001. Any person under the age of 18 is defined as a child.
You can download a copy of the Children’s Act of 2001 here:
ChildrenAct_No8of2001.pdf (kenyalaw.org)

Lawful Processing of Children’s Data
The processing of personal data is lawful if undertaken pursuant to the act and in accordance with provisions of various laws, including the Children Act.
Data controllers and data processors are prohibited from processing personal data relating to a child unless they obtain consent from the child’s parent or guardian. Data controllers and processors are required under the law to incorporate mechanisms for age verification and consent when processing personal data of a child.





Like the Kenya DPA there are additional considerations when processing the personal information of children. Organizations need to have the processes and controls in place to identify children and to gain the explicit consent to do so.

Who is Considered a Child
The age threshold for obtaining parental consent is established by each EU Member State and can be between 13 and 16 years. So why is there a range any how is this applied to the law?
Under EU GDPR Article 8, the age of consent is set at 16 as a default. This is where the EU GDPR is different to the Kenya DPA. As the EU is made up of a number of countries, there is a challenge to set a specific age that doesn’t conflict with local country law for age of consent for all countries involved. This is why the EU GDPR allows for an age range with upper and lower limits. The term used to allow for changes to the consent age from one country to another is referred to as “Derogation“.
please note that as a data controller or processor you will need to be aware of the age of consent for each specific country. In the appendix we have listed the EU country and the age of consent.

Lawful Processing of Children’s Data
Like the Kenya DPA processing the personal data is only lawful when the data controller and data data processors obtain the consent of the child’s parent or legal guardian.

Overall the Kenya data protection act 2019 provides a good framework for safeguarding the personal data of data subject. It has a lot of similarities with the EU GDPR which is considered by many data protection professionals as the benchmark of modern data protection laws. In our opinion not all the data protection laws enacted in Africa provide the necessary safeguards for modern use of personal information taking into consideration mobile phone apps, use of machine learning and AI, health data, and biometric data like fingerprints and DNA. but in our opinion the Kenya data protection act covers these topics to an acceptable level.

There are some areas where we would like to see either clarified, expanded on, or included. These are:

  • Unlike EU GDPR, the DPA does not explicitly require data controllers to keep records of their processing activities. This area is unclear. Section 4 (a) states that “this act applies to the processing of personal data entered in a record, by or for a data controller or processor by making use of automated or non-automated means”. In our opinion this is an area where the law could improve. A good data protection framework will allow for data controllers to know all the details of any data processing under their control. We would recommend to any client creating a record of processing activity and also mapping the data in a process flow.
  • Clarity of information in the law. The Kenya DPA does not explicitly mention about data subjects nationality, residency, or if it includes deceased data subjects.
  • Rights of the Data Subject, There are areas where we feel that this lacks. For example, the law does not explicitly provide for a right to erasure. It states the right of deletion if the information is false or misleading. But a data subject can not ask for their personal data to be erased.

Datahub are experts in global data protection laws, and a leader in Aviation Data Protection with our Aviation Center of Excellence.

Contact Our Team

If you are interested in knowing more about the Kenya data protection act, or want to understand about data protection compliance within your organization, what are the next steps!

It wouldn’t cost you anything to start a conversation with our CEO who is a data compliance practitioner and subject matter expert in global data protection laws. Our CEO is an expert in aviation data with 15 years consulting experience. He has advised airlines all over the world on data compliance and privacy best practices.

Contact us: Contact us | DataHub Consulting
Datahub Consulting Website: Data Consultancy Services | Datahub Consulting
Datahub Aviation Center of Excellence: Aviation Center of Excellence | DataHub Consulting

Find out how we can help

We do not employ salespeople; our team are all experienced technical specialists that can talk you through any of our services.

Contact us