OPINION: Data Compliance for Kenyan Businesses in the Digital Age

In the age of artificial intelligence, cloud computing, e-commerce, and digital banking, data is not just a commodity—it is a cornerstone of modern life.

Every transaction, interaction, and registration leaves a digital footprint. Yet, despite this, many organizations in Kenya remain dangerously lax in how they collect, store, and process personal data.

The urgency of data compliance is not a theoretical debate. It is a pressing legal and ethical issue that touches on the dignity, autonomy, and safety of every Kenyan.

As an Advocate of the High Court and a legal practitioner deeply involved in regulatory compliance, I have seen firsthand the widespread lack of awareness and preparedness within corporate, governmental, and even nonprofit institutions.

The Constitutional Right to Privacy

The right to privacy is enshrined in Article 31 of the Constitution of Kenya, 2010, which states:

“Every person has the right to privacy, which includes the right not to have—

(a) their person, home or property searched;

(b) their possessions seized;

(c) information relating to their family or private affairs unnecessarily required or revealed; or

(d) the privacy of their communications infringed.”

This constitutional provision is not a mere formality. It recognizes that privacy is a fundamental human right—an anchor for human dignity, freedom of thought, and personal security.

The Data Protection Act, 2019: A Framework with Teeth

To give effect to this right, Kenya enacted the Data Protection Act, 2019, which came into force in November 2019. The Act sets out detailed rules governing how personal data should be collected, stored, processed, and shared. It applies to both private and public entities and establishes the Office of the Data Protection Commissioner (ODPC) to oversee compliance.

Despite the legal clarity, implementation remains low. Many companies still operate without even the basic requirements such as:

- A published Privacy Policy

- Mechanisms for obtaining valid and informed consent

- Processes for handling data subject access requests

- Internal data handling protocols or staff training on data protection

Even more alarming is the absence of Data Protection Impact Assessments (DPIAs) in operations where they are not only advisable—but mandatory.

Why Conduct a DPIA?

A Data Protection Impact Assessment is a structured process for identifying and mitigating data protection risks before launching a new project or system. It is legally required under Section 31 of the Data Protection Act in situations where data processing is likely to result in a high risk to the rights and freedoms of individuals.

Examples include:

- Use of surveillance technologies in public spaces

- Deployment of mobile applications that collect personal or location data

- Handling of sensitive data in healthcare or financial services

- Cross-border transfer of personal data

A DPIA helps an organization to proactively recognize weaknesses in its data systems and address them before harm occurs. It also serves as proof of compliance should the ODPC initiate an audit or investigation.

The Cost of Non-Compliance

The cost of ignoring data compliance is steep—both financially and reputationally. Under the Data Protection Act, non-compliance can attract penalties of up to KES 5 million or 1% of annual turnover, whichever is higher. However, even beyond fines, the damage to consumer trust, brand reputation, and stakeholder relationships can be devastating.

We are beginning to see enforcement actions in Kenya. In 2023, the ODPC issued enforcement notices and fines against companies that mishandled customer data or failed to register as data controllers. This trend is only set to increase as the regulator becomes more active.

Beyond Legal Compliance

At its core, data protection is not merely a legal obligation—it is a moral duty. Organizations have a responsibility to treat personal data with care, transparency, and accountability. This means telling people clearly how their data will be used, giving them choices, and securing that data from breaches or misuse.

It also means respecting the rights of vulnerable groups—such as children, persons with disabilities, or the elderly—whose data may require heightened protections.

What Should Companies Do Now?

Businesses and institutions should begin with a clear compliance roadmap. This includes:

- Appointing or training a Data Protection Officer

- Conducting a data audit to map how personal data is collected and used

- Drafting or reviewing internal data policies and privacy statements

- Ensuring staff understand the principles of data protection

- Registering with the ODPC as a Data Controller or Data Processor

- Embedding regular Data Protection Impact Assessments into project lifecycles

Kenya is at a pivotal moment in its digital transformation. As fintech, healthtech, agritech, and e-commerce sectors grow, so too must our commitment to data privacy. Our laws have set the standard. Now, implementation must follow.

The age of digital convenience must not come at the cost of individual privacy. Data compliance is no longer a checkbox exercise—it is a safeguard for our digital future.

Susan Mute is an Advocate of the High court of Kenya and Managing partner at Susan Mute and Company Advocates.