Data Protection Regulations, 2021


In November 2019, the Data Protection Act (the DPA) was rolled out to Kenyans with the aim of giving effect to Article 31(c) and (d) of the Constitution on the fundamental right to privacy. These two provisions guarantee every Kenyan Citizen the right to privacy regarding their personal information as well as that of their families. Additionally, the DPA makes provisions for the obligations that accrue to data controllers and data processors as well as the foundational principles of data protection.

Section 71 of the DPA empowers the Cabinet Secretary for Information, Communication, Technology, Innovation and Youth Affairs to make regulations that give its provisions effect. In line with this mandate, three regulations came into force on the 17th of February 2022. They include:

  1. The Data Protection (General) Regulations, 2021
    These Regulations set out the procedures for enforcement of the rights of the data subjects in the collection and processing
    of their personal data. Our analysis on the regulation can be accessed here.
  2. The Data Protection (Complaints Handling Procedure and Enforcement) Regulations. These Regulations put in place avenues for data subjects to lodge complaints and seek redress when their data is used without consent or terms of use of their personal data are violated. Our analysis on the regulation can be accessed here.
  3. The Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021 These Regulations outline the procedure adopted by the ODPC in registering data controllers and data processors as per the Data Protection Act. Our analysis on the regulation can be accessed here.

In case of any enquiry on these regulations, please reach out to us at