TGS manohar lall

Kenya’s data protection Act

Kenya has implemented a comprehensive data protection law called the Data Protection Act, No. 24 of 2019 (the “Data Protection Act”). The Data Protection Act applies to all businesses operating in Kenya that process personal data, which includes any information related to an identified or identifiable natural person.

Under the Data Protection Act, businesses must comply with a number of obligations when processing personal data, including obtaining consent from individuals before collecting their personal data, maintaining the security and confidentiality of personal data, and only retaining personal data for as long as it is necessary. Businesses must also appoint a data protection officer who is responsible for ensuring compliance with the Data Protection Act.

The Data Protection Act also gives individuals the right to access and rectify their personal data, as well as the right to object to the processing of their personal data and the right to file a complaint with the Office of the Data Protection Commissioner if their personal data is misused.

Businesses that fail to comply with the Data Protection Act may face fines of up to KES 5 million (approximately USD 46,000) and imprisonment for the responsible parties.

Overall, the Data Protection Act has significant implications for businesses operating in Kenya, as it requires them to implement robust data protection policies and procedures to ensure compliance. It is important for businesses to understand and adhere to their obligations under the Data Protection Act in order to avoid potential penalties and reputational damage.