Technology Law and Data Protection Compliance in Kenya

At a glance

The legal framework

Kenya’s data protection regime rests on the Data Protection Act 2019, which gives effect to the right to privacy in Article 31 of the Constitution. The Act is principles-based. Section 25 requires that personal data be processed lawfully and fairly; collected for explicit, specified purposes; limited to what is necessary; kept accurate; retained no longer than needed; and protected by appropriate security. Section 30 sets out the lawful bases for processing — consent, contract, legal obligation, vital interests, public interest and legitimate interests — and a controller must be able to identify which one it relies on. Three sets of regulations made in 2021 — the General Regulations, the Registration of Data Controllers and Data Processors Regulations, and the Complaints Handling Procedure and Enforcement Regulations — translate the Act into operational duties, all enforced by the Office of the Data Protection Commissioner (ODPC).

Alongside the privacy regime sits the Computer Misuse and Cybercrimes Act 2018, which created the National Computer and Cybercrimes Coordination Committee (NC4) and criminalises unauthorised access, data interference and cyber-fraud. For most technology-enabled businesses, privacy and cybersecurity now have to be managed as one programme.

Data subjects’ rights

Part V of the Act gives individuals enforceable rights that a business must be able to honour: to be informed of how their data is used; to access it; to have inaccurate data corrected; to have data deleted or erased; to object to processing, including direct marketing; and not to be subject to a decision based solely on automated processing where it produces significant effects. A controller needs a process to recognise and respond to these requests within the statutory timelines — not an ad hoc reaction when one arrives.

The enforcement era has arrived

The clearest signal is in the numbers. In 2025 the ODPC determined 96 complaints, almost double the previous year, and shifted from foundational compliance towards structured accountability, issuing penalty notices and, in several matters, recommending the prosecution of company directors for obstructing investigations — a reminder that the consequences are not always purely financial.

The courts have backed the regulator. In Regus Kenya Limited v Data Protection Commissioner [2025] eKLR, a former client complained of unsolicited marketing sent after the commercial relationship had ended, in breach of Article 31 and the Act; the High Court upheld the Commissioner’s findings, while reducing the penalty in recognition of a first-time offender. The deeper lesson is about consent: as the ODPC’s determinations now make plain, the burden of proving consent rests on the controller, who must show how and when explicit consent was obtained. Implied or informal consent is not enough.

Penalties and breach notification

Under section 63 the ODPC can impose an administrative penalty of up to KES 5 million, or 1% of annual turnover, whichever is lower, alongside enforcement and penalty notices. Separately, the Act requires a controller to notify the ODPC of a personal-data breach within 72 hours of becoming aware of it, and, where there is a real risk of harm, to notify affected data subjects. For operators caught by the critical-infrastructure rules (below), the reporting clock is tighter still.

Where data protection meets cybersecurity

The Computer Misuse and Cybercrimes (Amendment) Act 2024 was assented to on 15 October 2025, targeting emerging threats such as SIM-swap fraud, phishing, identity theft and online harassment, and raising penalties — with severe offences attracting fines of up to KSh 10 million or lengthy imprisonment. Earlier, the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations 2024 (Legal Notice 44 of 2024) introduced cyber risk-assessment and incident-response duties and breach reporting within 24 hours for designated critical sectors, including telecommunications, banking and finance. A business in those sectors must align its incident-response plan, vendor contracts and reporting lines so a single incident triggers a coordinated, time-bound response rather than a scramble.

Cross-border transfers

Transferring personal data outside Kenya is lawful only on specific grounds under the Act — adequacy of protection in the destination, appropriate safeguards such as contractual clauses, or the data subject’s explicit consent — with stricter conditions for sensitive data. The ODPC has shown it will coordinate with regional regulators where data crosses borders, so group, cloud and outsourcing arrangements must be properly papered with the lawful basis for each transfer documented.

What’s coming

In December 2024 the ODPC published a draft Conduct of Compliance Audit Regulations and a draft Data Sharing Code for consultation. These remain proposals rather than law, but they signal the direction of travel: towards audited, demonstrable compliance, where being able to evidence your programme matters as much as having one.

What you should do now

• Register (or confirm registration) with the ODPC as a controller or processor, and map your processing to a lawful basis under section 30.
• Run an impact assessment for higher-risk processing under section 31, and appoint a data protection lead.
• Build a rights-request process that meets the statutory timelines for access, correction, erasure and objection.
• Rebuild consent capture so it is explicit, recorded, time-stamped and easy to withdraw.
• Prepare for breaches with a plan that can notify within 72 hours — 24 hours where the critical-infrastructure rules apply — and train staff, keeping evidence of that training.

Frequently asked questions

Who must register with the ODPC in Kenya?

Broadly, data controllers and processors with annual turnover above KES 5 million, or those processing sensitive or large-scale data, must register under the 2021 Registration Regulations, subject to limited exemptions.

What are the penalties for breaching the Data Protection Act 2019?

Under section 63, an administrative penalty of up to KES 5 million or 1% of annual turnover, whichever is lower, alongside enforcement notices and, for obstruction, recommendations to prosecute.

How quickly must I report a data breach?

Within 72 hours of becoming aware, to the ODPC, under the Act — and within 24 hours where the 2024 critical-information-infrastructure rules apply. Affected individuals must be told where there is a real risk of harm.

Is implied consent enough under Kenyan law?

No. The ODPC’s 2025 determinations reject implied or informal consent; the controller must be able to show how and when explicit consent was obtained.

Can I transfer personal data outside Kenya?

Only on a lawful ground — adequacy of protection, appropriate safeguards, or explicit consent — with stricter conditions for sensitive data, and with the basis for each transfer documented.

Disclaimer: This article has been prepared for informational purposes only and is not legal advice. This information is not intended to create, and receipt of it does not constitute a lawyer-client relationship. Nothing in this article is intended to guarantee, warranty, or predict the outcome of a particular case and should not be construed as such a guarantee, warranty, or prediction. The authors are not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information. Readers should take specific advice from a qualified professional when dealing with specific situations.