Kenya's data controllers and processors now need to register with the country's regulator in order to handle personal data or face a substantial fine.

Over the past decade, Kenya has been making significant strides in ensuring that data subjects have more control over their personal information. Article 31 of the Constitution of Kenya, 2010 grants everyone the right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed or the privacy of their communications infringed.

The Data Protection Act (the "Act"), which came into force in 2019, was enacted with the main purpose of affording Kenyans more rights on how their personal data may be handled.

In terms of the Act, data controllers and processors who process the personal data of Kenyans whether domiciled in the country or otherwise must be registered with the Office of the Data Protection Commissioner ("ODPC"). These registrations are subject to exemptions set out in the Data Protection Regulations ("Registration Regulations") which came into effect on 14 July 2022.

The registration process can be completed online through the ODPC portal.

All entities who process personal data for purposes such as;

  • gambling;
  • operation of educational institutions;
  • financial services;
  • telecommunications services;
  • health administration and;
  • hospitality

are required to register without exception.

Others that must mandatorily register are those processing personal data for crime prevention eg, operators of CCTV systems, political canvassing, property management, direct marketing, transport service firms and entities that process genetic data. An entity is exempt from mandatory registration if it does not process personal data for any of the above purposes, has an annual turnover or profit below KES5 000 000 (approx. USD42 000, at the time of writing), and less than 10 employees.

Registration fees are graduated based on an entity's employee numbers and annual turnover with the least amount payable being KES4 000 (approx. USD34, at the time of writing) and the maximum amount payable being KES40 000 (approx. USD340, at the time of writing).

Under the guidance note on the registration of data controllers and processors, the ODPC requires entities that qualify as both data controllers and processors to register separately. This means that if a company is both a processor and controller, it will have to make a separate application as a controller and another as a processor with fees being payable for each application.

Once an application for registration is completed, it will be reviewed by the ODPC and, if compliant, a certificate of registration will be issued to the data controller or processor within 14 days of receipt of the application. This certificate is valid for two years and can be renewed subject to completion of the renewal application and payment of the prescribed renewal fee.

With the coming into force of the Registration Regulations and the portal having been launched, data controllers and processors must now familiarise themselves with the processes and costs of compliance to ensure that they are not caught out and their business operations interrupted.

The continued processing of personal data without registration, provision of misleading information during registration, and failure to renew an expired certificate are all offences under the Act. If convicted, a data controller or processor risks a fine of up to KES3 000 000 or imprisonment for a term of up to 10 years, or both.

Reviewed by Mahesh Acharya, an Executive at ENSafrica in Kenya.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.