Data protection
What do controllers and processors have to do under the Kenya Data Protection Act?
The Kenya Data Protection Act, 2019 sets the rules for handling personal data. If your organisation decides why and how personal data is used, you are a data controller. If you process it on someone else's instructions, you are a processor. Both have duties: process data lawfully and fairly, keep records of what you do, respect the rights of the people whose data you hold, secure it, and report serious breaches. Many organisations must also register with the Office of the Data Protection Commissioner (ODPC). This guide explains the obligations in plain English, and how to check you are meeting them.
Murikah
Independent assurance and AI governance
Data protection in Kenya is no longer a policy on a shelf. The Act gives people real rights and gives the regulator real powers, so the sensible question is not whether it applies to you, but whether you can show you are meeting it.
Controllers and processors, explained
The Act turns on two roles. A controller decides why and how personal data is used. A processor handles data on a controller’s behalf, following instructions. Your organisation can be both, for different data. Getting the roles right matters, because they carry different duties and they should be reflected in the written agreements between you and the parties you share data with.
Core obligations
The duties are easier to remember as a short list:
- Lawful basis and transparency. Have a clear reason to process data, and tell people what you are doing.
- Data minimisation and accuracy. Collect only what you need, and keep it correct.
- Records of processing. Keep a record of what data you hold, why, and where it goes.
- Data-subject rights. Be able to respond when someone asks to access, correct or delete their data.
- Security. Protect data with controls that match the risk.
- Breach notification. Detect, assess and report serious breaches within the required timelines.
ODPC registration
The Office of the Data Protection Commissioner (ODPC) is Kenya’s regulator. Many controllers and processors are required to register, and registration is simple once you know your role and your purposes. If you are unsure whether you must register, treat it as likely and confirm, rather than discovering the gap during an incident.
How a data protection review works
A review checks the distance between what the Act expects and what you actually do. We map the personal data you hold and why, check your lawful bases, your records of processing and your agreements with processors, test your security and your breach readiness, and give you a prioritised list of fixes. It is part of our data protection reviews, and the findings are tracked to closure like any other audit.
How Murikah helps
We run data protection reviews for SACCOs, banks, fintechs and NGOs, help you get ODPC-ready, and build the records and breach process you need. If AI is part of how you use data, our guide to ISO 42001 readiness covers the governance that goes alongside.
This is general information, not legal advice. For obligations specific to your organisation, take advice from a qualified data-protection adviser.
Frequently asked questions
Who needs to register with the ODPC?
Many data controllers and processors in Kenya are required to register with the Office of the Data Protection Commissioner, with thresholds and exemptions set out in the regulations. If you handle personal data at any meaningful scale, for example a SACCO, bank, fintech or NGO, you should assume registration applies and confirm your position. Registration is straightforward once you know your role and purposes.
What is the difference between a controller and a processor?
A controller decides why and how personal data is processed. A processor only acts on a controller's instructions. A SACCO deciding how to use member data is a controller. A vendor running a system on the SACCO's behalf is a processor. The roles carry different duties, and they should be set out in a written agreement between the two parties.
What are the main obligations under the Act?
Have a lawful basis for processing, be transparent about it, collect only what you need, keep it accurate, hold it securely, and keep records of your processing. You must respect data-subject rights, hold processors to written terms, and notify serious breaches. In short, know what data you hold, why you hold it, and be able to show you handle it responsibly.
What happens if there is a data breach?
You need to detect it, contain it, assess the risk to the people affected, and, where the breach is likely to cause real harm, notify the ODPC and sometimes the individuals, within the timelines the law sets. The practical lesson is to prepare in advance: have a simple breach response plan, so a stressful moment follows a clear process rather than guesswork.
Book a demo
Put this into practice
Book a demo and we will map this to your organisation, your regulator and your board.