Compliance with the Data Protection Act, 2019 & Data Protection (General) Regulations, 2021 FAQS

Date: 4th July 2022

Subject:  Compliance with the Data Protection Act and Data Protection regulations

What is a data controller?

This is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.

What is a data processor?

This is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

What is personal data?

This means any information relating to an identified or identifiable natural person.

Who is required to register?

Under the DPA, a data controller or data processor must be registered with the Office of the Data Protection Commission (“ODPC”) if that person has an annual turnover of more than KES 5,000,000 and employs over 10 employees.

The following persons have mandatory registration requirements regardless of their turnover and number of employees:

  • Operating Credit Bureaus.
  • Crime prevention and prosecution of offenders (including operating security CCTV systems).
  • Debt administration and factoring.
  • Gaming and betting operators.
  • Education providers.
  • Canvassing political support among the electorate.
  • Health administration and provision of patient care.
  • Hospitality industry firms.
  • Insurance administration and undertakings.
  • Faith-based or religious institutions.
  • Retirement benefits administrators.
  • Property managers including the sellers of land.
  • Providers of financial services.
  • Telecommunications network or service providers.
  • Businesses that are wholly or mainly in direct marketing.
  • Internet access providers.
  • Transport services firms (including online passenger hailing applications)
  • Public sector bodies.
  • Businesses that process genetic data.

Registration process with the ODPC

Application for registration shall be made online through the ODPC website. The platform is set to go live on 14th JULY 2022.

Registration Documents

The ODPC has also indicated that the following documents will be required alongside the application:

  1. Establishment documents that may include any of the following;
  1. The certificate of incorporation;
  2. KRA PIN of the firms;
  3. ID cards of Directors; and
  4. KRA PINs of the Directors.
  1. Particulars of the data controller or data processor;
  2. Description of the categories of personal data; and
  3. Registration fees.

The above list is merely speculative. A final, comprehensive list will be made available when the platform goes live.

Estimated Registration Fees

The registration fees will be based on an incremental scale, ranging from KES 4,000 (for person(s) with less than 10 employees and turnover less than KES 2 million) to KES 40,000 (for person(s) with more than 99 employees and turnover of KES 50 million). The registration fee will be per processor/controller.

Data Protection Officer (DPO)

The ODPC has indicated that a DPO position should be created by person(s) eligible for registration and that person will be tasked with the responsibility of ensuring that the data collected by the data collectors or data controllers are stored safely and used only for the purpose that it was collected.

The DPO position should be a person who is tech savvy, aware of operations and available during inspections, and may be outsourced.  Furthermore, the DPO should also have the relevant academic or professional qualifications in data protection.


A key take-away from the Regulations and the Act is the importance placed on the issue of consent. Data subjects must give informed, explicit and retraceable consent. This means that the data subject must be informed of the purpose of the data that they are giving in a manner that is plain, clear and understandable to them. Legalese and fine print are no longer viable defences, and RSM must review all current and future Letters of Engagement as well as Employment Contracts to ensure that the clauses that deal with data protection and use are clear and understood by the data subjects.

Download HERE

How can we help you?

Contact us by phone +254 (0)20 3614000 or+254 (0)20 4451747/8/9 or submit your questions, comments, or proposal requests.

Email us