New data privacy laws take effect in Kenya

ICT Cabinet Secretary Joe Mucheru during an interview/ pulselive 

NAIROBI, Kenya Mar 21- Companies in breach of Kenya’s privacy laws now face tougher convictions after parliament passed the new data act last week. 

Under the new law, all data controllers and data processors will now be required to register with the office of the Data Protection Commissioner.

The parliamentary committee on delegated legislation passed the data laws last week. 

Companies in breach of the new data regulations face fines of up to one percent of their annual turnover. 

The approved set of regulations includes the data protection (General) regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

“In relation to an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to five million shillings, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower,” the data Act reads in part.

The fines will require organisations to review their data privacy policies to make them easier to understand and prove compliance.

The data protection (General) regulations, 2021 and the complaints handling regulations took effect from March 14. 

On the other hand, the registration of data controllers and processors will take effect on July 14, 2022.

The Data Protection (General) Regulations, 2021 provide for rights of a data subject and limitations to commercial use of such information.

It also explains the roles of data controllers and processors, the communication of data breaches and the transfer of data outside Kenya.

In the event of commercialisation of data, a data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence.

He or she is liable, on conviction, to a fine not exceeding Sh20,000 or to a term of imprisonment not exceeding six months, or to both fine and imprisonment according to the data protection act.

“The approval of the regulations by Parliament marks a huge milestone in the government’s efforts to safeguard personal data of the people of Kenya,” ICT Cabinet Secretary Joe Mucheru said.

Share Article :

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp


Nasra Nanda

Nasra Nanda

Nasra Nanda is a Senior Associate in Dentons Hamilton Harrison and Matthews, a leading law firm in Kenya.

Gregor Pannike

Gregor Pannike

Gregor Pannike is the founder and managing director of Agema Analysts.

Liz Lenjo

Liz Lenjo

Liz Lenjo is the Founder and Managing Consultant of MyIP Legal Studio.

Angela Kioi

Angela Kioi

Angela Kioi is a legal compliance expert, negotiator and ADR practitioner.



Get all latest content delivered to your email a few times a month.

Sign Up To Our Newsletter

Get notified about our new articles !