New Developments in Enactment of Kenya’s Data Protection Regime


Kenya appointed its first Data Protection Commissioner on 16th November 2020, following the enactment of the Data Protection Act, No. 24 of 2019 (DPA) in late 2019. Since then, the Office of the Data Protection Commissioner (ODPC) has been undertaking a number of activities as it moves towards full operationalization of the DPA.

Effective 7th January 2020, the Cabinet Secretary for ICT, Innovation and Youth Affairs appointed a Taskforce on Development of the Data Protection (General) Regulations (the DPA Taskforce). The DPA Taskforce is required to within 6 months, identify any gaps or inconsistencies in the DPA while also developing the regulations to support the DPA’s enforcement.

On 25th February 2021, the ODPC launched their official website (, serving as their initial contact point with stakeholders. The website contains a functionality that permits anybody to report a data breach or other complaints with the ODPC.

The ODPC has also published the following documents on their website:

  1. Guidance Note on Consent – provides further context as to how prior, specific and informed consent is to be obtained from data subjects by data controllers or processors.
  2. Guidance Note of Conducting Data Protection Impact Assessment (DPIA) – provides guidance to data controllers and processors on circumstances necessitating DPIAs or otherwise, and how to conduct DPIAs.
  3. Complaints Management Manual – indicates the process of making and resolving complaints to the ODPC.
  4. The ODPC Citizen Service Delivery Charter – indicates service delivery timelines, such as registration of data processors or controllers within 14 working days.

These draft guidelines are expected to be non-binding indications of the ODPC’s practice in executing its mandate. We anticipate these to be updated from time to time to cater for legal and practical developments, as is the norm with other statutory regulators in Kenya.

We understand that the ODPC and the DPA Taskforce are in the process of finalizing draft regulations as mandated. These draft regulations are expected to be released for public comment in the coming weeks and will propose the legally binding provisions regarding obtaining consent, registration of data processors and controllers and enforcement actions by the ODPC.

We are monitoring these developments and shall provide an update in due course. In the meantime, we recommend that data controllers or processors affected by Kenya’s DPA commence a review of their internal policies and external engagements to measure compliance with the DPA. This may ease the path to compliance once the DPA’s enforcement mechanism is fully mobilized.

For specific advice on data protection in Kenya, feel free to reach out to us on