The Data Protection Act, 2019 is a landmark piece of legislation that establishes a comprehensive framework for the protection of personal data in Kenya. This article breaks down the key provisions every business should understand.
Key Provisions
1. Consent Requirements
Data controllers and processors must obtain explicit consent before collecting or processing personal data. The consent must be specific, informed, and freely given.
2. Data Subject Rights
Individuals have the right to:
- Access their personal data
- Correct inaccurate data
- Delete their data (right to be forgotten)
- Object to data processing
- Data portability
3. Data Protection Principles
All data processing must follow these principles:
- Lawfulness — Data must be processed lawfully and fairly
- Purpose limitation — Collected for specified, legitimate purposes
- Data minimization — Only collect what is necessary
- Accuracy — Keep data accurate and up to date
- Storage limitation — Don't keep data longer than necessary
- Integrity and confidentiality — Ensure appropriate security
What Businesses Must Do
- Appoint a Data Protection Officer
- Register with the Office of the Data Protection Commissioner
- Conduct Data Protection Impact Assessments
- Implement appropriate security measures
- Report data breaches within 72 hours
Penalties for Non-Compliance
The Act provides for penalties of up to KES 5 million or imprisonment of up to 10 years for serious violations. This makes compliance not just a good practice but a legal necessity.
This article is for informational purposes only and does not constitute legal advice. Contact our team for specific guidance on data protection compliance.