By Victor Orandi

Since the passing of the Data Protection Act (DPA) into law in 2019 followed up by the establishment of the Office of the Data Protection Commissioner (ODPC), the next key step toward promoting and strengthening data protection and privacy has been the introduction of guidelines for implementing the DPA. 

On 11th February 2022 the Cabinet Secretary for Information, Communication, Technology, Innovation and Youth Affairs, gazetted the following regulations (Data Protection Regulations) to give effect to the implementation of the provisions of the DPA. (Follow the links below to read about the regulations in detail);

1.  The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (The “Registration Regulations”); 
2. The Data Protection (General) Regulations, 2021 (The “General Regulations”); and
3. The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 (the “Compliance Regulations”).

• Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021

The Registration Regulations specify the procedure that will be adopted by the Office of the Data Protection Commission in registering Data Controllers and Data Processors as per the Data Protection Act, 2019. The provisions of these Regulations will take effect from July 2022. 

Companies will be required to register as data controllers/processors given that a data controller or data processor with an annual turnover/revenue of more than five million shillings and employs more than ten (10) people shall be required to register with the ODPC.

A data processor or a data controller is required to register (regardless of annual turnover/revenue and the number of employees) provided that they are processing personal data in line with functions such as debt administration & factoring and provision of financial services.

The Data Commissioner shall maintain an up to date register of all registered data controllers and data processors. 

• Data Protection (General) Regulations, 2021

The General Regulations set out the procedures for enforcement of the rights of the data subjects as well as elaborating on the duties and obligations of Data Controllers and Data Processors.

Companies are to ensure their data protection policies are aligned with the stipulated guidelines under the General Regulations. The privacy policies should include;

1. The nature of personal data to be processed; Scope of the personal data to be processed; Purposes for processing the required personal data; Limitation on the retention of personal data; and whether the personal data shall be shared with third parties.
2. Rights of the data subjects such as the right to access personal data; right to restrict processing; right to object to processing; right to rectification; data portability request; and right to erasure.

Companies are required to enter into an agreement with any third party who processes personal data on their behalf. The agreement will specify each party’s obligations and liabilities in connection with the processing activities.

Companies may also be required to submit a data protection impact assessment report to the Data Commissioner for approval in relation to their processing activities. 

• Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021.

The Compliance Regulations outline the compliance and enforcement provisions for the Data Commissioner, Data Controllers, and Data Processors. 

Any person aggrieved by the decision of any person under the Data Protection Act, 2019 may lodge a complaint with the ODPC. The complaint can be lodged through the ODPC’s official website- www.odpc.go.ke. Through this website, any person or organization will be able to also report a data breach or report a concern. 

You can reach out to us through victor@mmagareadvocates.com or matthew@mmagareadvocates.com for further advice on the above requirements and compliance with the Data Protection laws.