I. Why Data Protection Matters
If your organization collects names, contacts, ID numbers, or any other personal information, then you have a legal responsibility to protect that data. Data protection is about safeguarding this information from unauthorized access, misuse, or loss. It involves setting up clear internal processes, policies, and systems to make sure personal data stays secure, accurate, and only accessible to those who need it.
With Kenya’s fast-growing digital economy, more organizations are handling personal data than ever before. Whether you're a business, nonprofit, startup, or community group, data protection is no longer a luxury; it’s a legal and operational necessity.
III. Understanding the Legal Landscape
Article 31 of the Constitution of Kenya guarantees every person the right to privacy. This right is given effect through the Data Protection Act, 2019, which outlines how personal data should be collected, used, shared, and stored. The law applies to both local and international entities that process personal data in Kenya.
The Office of the Data Protection Commissioner (ODPC) is responsible for enforcing the law, including overseeing compliance, handling complaints, and issuing penalties.
IV. Know Your Role
Whether you collect email addresses for a newsletter, manage donor databases, run an e-commerce store, or operate a mobile app, chances are you’re either a data controller or data processor under Kenya’s Data Protection Act. That means you have specific legal duties. Controllers decide how and why personal data is used, while processors handle data on someone else’s behalf. Knowing where you fall helps you comply with the right rules and avoid costly mistakes.
V. Common Situations That Put You at Risk
You don’t have a privacy policy - or the one you have is outdated.
You launched your website or platform without including a privacy policy, or you’re still using a generic template that hasn’t been reviewed in years. Meanwhile, your business has grown, your data practices have evolved, but your policy hasn’t. It no longer reflects what personal data you collect, how you use it, or how users can exercise their rights. In the eyes of the law, that’s a red flag, and in the eyes of your users, it’s a reason not to trust you.
2. You keep old client data... just in case.
You wrapped up that project two years ago, but the files are still sitting in your inbox, on your laptop, or somewhere in a shared folder. You’re not even sure if the client knows their data still exists. Kenya’s Data Protection Act not only cares about how you collect data, but also how long you keep it. Holding on to personal data longer than necessary, without a clear legal reason, puts you in breach. And if a client ever asks you to delete it and you can’t? That’s a problem.
3. Staff Using Personal Devices
It feels convenient, especially for small teams or remote work setups, but it’s risky. When personal devices are used without clear policies or safeguards, there’s no control over where client data ends up. Is the device password-protected? Is data encrypted? What happens if the gadget is lost, stolen, or shared at home? Without proper data handling protocols, you’re not just risking a breach; you’re exposing your clients’ personal information to environments you can’t manage or secure. And that’s exactly the kind of oversight that lands you on the Office of the Data protection Commissioner - ODPC’s radar.
4. You use customer data for marketing... but never asked for consent.
You ran a campaign and used emails collected from past orders or sign-ups, figuring it’s all fair game. Maybe you even bought a list from “a friend.” But under the Data Protection Act, using someone’s personal information for a purpose they didn’t agree to , like marketing, is a big no. Consent isn’t optional, and vague terms like “for communication purposes” don’t cut it. If you’re not crystal clear and documented about consent, you're already exposed.
5. Untrained Employees Handling Sensitive Data
Staff collect ID numbers, email addresses, financial records, or health information daily, yet they’ve never received proper training on data protection. They’re unaware of what counts as sensitive data, what needs consent, or how to respond to a data breach. As a result, they click suspicious links, store files carelessly, or overshare client details - not out of malice, but ignorance. Without basic data protection awareness, even well-meaning employees can put your entire organization at risk.
6. Collecting Excessive Data
You ask for ID numbers when an email would be enough. You require someone's full name, date of birth, physical address, and next of kin, just to create an online account or access a basic service. It may seem harmless or even “just in case,” but under Kenya’s Data Protection Act, you’re expected to collect only what’s necessary for a specific purpose. The more sensitive data you collect without justification, the bigger your legal risk if anything goes wrong, and the harder it is to defend your practices during a compliance audit.
VI. What You Stand to Lose
Financial Penalties
The ODPC can slap your organization with a fine of up to KES 5 million or one percent of your annual turnover. For a growing business or nonprofit, that kind of penalty can derail your operations, eat into your budget, or even shut you down. It’s a price you don’t have to pay if you’re compliant.
2. Loss of Public Trust
A single data slip-up can ruin how people see your organization. Clients start to question your credibility. Donors pull back. Partners hesitate. Rebuilding that trust takes time, money, and effort. And in a competitive space, people don’t always give second chances.
3. Legal Disputes
Data subjects can file complaints if they feel their data was misused. That means you could end up dealing with investigations, legal claims, and bad publicity. Even if the case doesn’t go against you, the time, money, and reputational dents are hard to undo.
4. Missed Opportunities
Some funders, partners, and clients will ask for proof of data compliance before doing business with you. If you don’t have the right policies and practices in place, you could lose out on grants, contracts, and other growth opportunities that would have taken your work to the next level.
VII. How We Help You Stay Compliant
Gap Assessment and Compliance Audit
We conduct a practical review of your data processes and flag areas that don’t meet legal requirements. You get a clear picture of what needs improvement and how to fix it.
2. Development of Internal Policies and Tools
We draft policies and practical tools tailored to your operations. These include privacy notices, data breach response plans, and consent forms, all aligned with Kenyan law and your day-to-day realities.
3. Staff and Leadership Training
We equip your team with the skills and knowledge needed to handle personal data responsibly. Our training sessions are customized, practical, and designed to reduce risks across the board.
4. Regulatory Support
We assist with ODPC registration, respond to regulatory queries, and help you put in place systems that demonstrate accountability and compliance. You stay legally protected and audit-ready.
VIII. Book a Consultation Today
If you’re unsure where your organization stands on data protection, we’re here to help. In a one-on-one session, we’ll walk you through what the law expects, where your gaps might be, and what practical steps you can take right now to stay compliant, avoid penalties, and build trust. It’s your first step toward doing things right.
About the Author
Valarie Waswa is a Certified Data Protection Officer, a lawyer by profession, an Advocate of the High Court of Kenya and East Africa by extension, and the Founding Partner of Valarie Waswa & Co. Advocates
Contact Us
For more information, contact us on WhatsApp Business at +254 707 059 485 or email us at info@valariewaswa.com