Kenya is one step closer to appointing its first Data Protection Commissioner (“Commissioner”), a mission that has been met with some obstacles

On 13 October 2020, the President of Kenya, in compliance with the provisions of the Data Protection Act, 2019 (“DPA”), nominated current director of voter education, partnerships and communications at the Independent Electoral and Boundaries Commission (“IEBC”), Ms Immaculate Kassait, for appointment to the position of Commissioner. Speaker, Hon. Justin Bedan Muturi announced the president's nomination to the National Assembly.

The National Assembly departmental committee on communication, information and innovation (the “Committee”) will now consider the suitability of Ms Kassait for the Commissioner position and table its report to parliament for debate and decision within the next 14 days.

The speaker further said that “noting that the 14-day period within which the Committee is expected to consider the nominee and table its report for debate will lapse during the period of the short recess, the Committee is at liberty to seek an extension of time.”

Ms Kassait is one of the 12 potential candidates shortlisted for the position by the Public Service Commission. She holds a bachelor's degree in law from Makerere University, a post graduate diploma in law from the Kenya School of Law and an executive MBA from the United States International University. 

The Commissioner's office will be responsible for, among other functions:

  • overseeing the implementation and enforcement of the provisions of the DPA; 
  • establishing and maintaining a register of data controllers and data processors;
  • exercising oversight on data processing operations; and 
  • receiving and investigating any complaint by any person on infringements of the rights under the DPA.

Following this nomination, its subsequent approval by parliament, and final appointment of the Commissioner, we should expect that the office of the Commissioner will speedily work to put in place structures and systems for the registration of data processors and data controllers to facilitate the effective regulation of data processing operations conducted in Kenya

As recommended by the DPA, an effective preparatory measure for entities who ordinarily, regularly and systematically monitor and process information on data subjects includes the appointment of a data protection officer to: advise on and assist with ensuring compliance with data processing requirements provided under the DPA and related law, as well as cooperate with the Commissioner and any other authority on matters relating to data protection. It is recommended that entities operating as data controllers or data processors publish the contact details of the data protection officer on their websites and forward such details to the office of the Commissioner for subsequent publication on its official website once launched.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.