Data Protection & Privacy

Compliance programmes under the Kenya Data Protection Act 2019 — data controller and data processor registration with the Office of the Data Protection Commissioner (ODPC), data protection impact assessments (DPIAs), cross-border data transfer authorisations, privacy notices, data-subject request handling, breach notification, and defence of ODPC enforcement proceedings and complaints. We also advise on parallel GDPR alignment for clients with European operations.

What we advise on. We build and run end-to-end data-protection compliance programmes: registration of data controllers and data processors with the Office of the Data Protection Commissioner (ODPC); data-mapping and records of processing activities; data protection impact assessments (DPIAs) for high-risk processing; privacy notices, consent frameworks and cookie compliance; data-processing agreements and data-sharing agreements; cross-border data-transfer mechanisms; appointment and outsourcing of the Data Protection Officer (DPO) role; staff training; and incident-response and breach-notification playbooks. On the contentious side we defend ODPC investigations, audits, complaints and enforcement actions, and we advise on data-subject compensation claims.

Governing law and regulators. Our advice is grounded in the Data Protection Act 2019 and the three sets of subsidiary regulations made under it — the Data Protection (General) Regulations 2021, the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021, and the Data Protection (Compliance and Enforcement) Regulations 2021 — all enforced by the Office of the Data Protection Commissioner (ODPC). For clients with European or UK operations, we align Kenyan compliance with the EU and UK General Data Protection Regulation (GDPR), whose structure closely mirrors the Kenyan regime, so a single programme can satisfy both.

Who we act for. We act for technology companies, fintechs and digital-credit providers, banks and financial institutions, health providers and pharmaceutical companies, multinationals with Kenyan subsidiaries, NGOs and development partners, and any business collecting personal data at scale. Sector-specific data protection requirements — especially in banking, health and telecoms — mean that industry knowledge and legal knowledge must work together, and we bring both.

Why OLM for data protection and privacy. Data-protection compliance is not a filing exercise — it is an operational programme that must survive an ODPC audit, a data-subject complaint, or a breach. We build compliance that works in practice, and when a regulator or complainant comes knocking, we defend it with the same team that built it.

Frequently Asked Questions

Who must register with the ODPC in Kenya? Every data controller and data processor must register with the Office of the Data Protection Commissioner unless exempt. Registration is online and must be renewed annually. We manage registration and annual renewal for clients.

What is a data protection impact assessment (DPIA)? A DPIA is a structured risk assessment required before any high-risk processing of personal data — such as large-scale profiling, systematic monitoring, or processing of sensitive data categories. We design and conduct DPIAs and integrate findings into the compliance programme.

Does Kenya’s Data Protection Act apply to foreign companies? Yes. The DPA applies to any person who processes personal data in the context of activities carried out in Kenya, or who processes the personal data of data subjects in Kenya, regardless of where the processing takes place. We advise non-resident entities on their obligations.

What are the penalties for breach of Kenya’s Data Protection Act? The ODPC can impose fines of up to KES 5 million or three years’ imprisonment for individuals, and fines of up to KES 5 million or 1% of annual turnover for organisations. We advise on compliance and defend enforcement actions.