From 14 July 2022, the provisions of the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the Regulations) will come into force and the process of registration with the Office of the Data Protection Commissioner (the ODPC) will also begin for data controllers and data processors.
All civil registration entities (such as the Office of the Registrar of Persons which issues national identity cards) specified in the Data Protection (Civil Registration) Regulations, 2020 are exempt from the Regulations. Aside from this exemption, the Registration Regulations also exclude the following data controllers and data processors from mandatory registration:
- those with an annual turnover or annual revenue of below KES 5 million (approx. USD 42,000) and
- those with less than 10 employees.
However, it is worth noting that the Regulation also appears to contradict the above exemption, providing that the above entities are still required to undertake mandatory registration. It is not clear how the two provisions will be reconciled. Following the commencement of the registration process, we anticipate that the position will become clearer. For some entities, registration will be considered mandatory. These include entities processing personal data for activities such as gambling, health administration, financial services, telecommunication services, and transport services, regardless of whether they have an annual turnover or annual revenue of below KES 5 million (approx. USD 42,000) or have less than 10 employees.
With the Registration Regulations in force, it is incumbent on all data controllers and data processors to register with the ODPC to avoid penalties for non-compliance. Further, failure to comply with the requirement to register may have other repercussions such as denial of operating licences. For example, the Central Bank of Kenya Act (Chapter 491 of the Laws of Kenya) was amended to require digital credit providers to be registered with the OPDC, failing which they would be denied the necessary licence for their business from the Central Bank.
With the myriad of amendments made to various legislation following the enactment of the Data Protection Act, 2019 (the DPA), such as amendments to the Capital Markets Act (Chapter 485A of the Laws of Kenya) and the Kenya Information and Communications Act (No 2 of 1998), to name a few, it is likely that the effects of registration of data controllers and data processors under the DPA will have far-reaching implications on how organisations operate in Kenya. These implications would primarily relate to the processing of personal data by organisations established in Kenya and the processing of personal data relating to natural persons located in Kenya.
Following recent guidance by the ODPC, we understand that an entity that should register as a data controller and data processor needs to make two separate registration applications and pay a separate fee for each.
For more details on the Regulations, you can access our alert on who is required to register and the requirements relating to registration as a data controller and a data processor here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.