According to Kenya’s Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021,
an organisation processing personal data for the following purposes shall register as a data controller or a data processor:
- Canvassing political support among the electorate.
- Crime prevention and prosecution of offenders (including operating security CCTV systems).
- Gambling.
- Operating an educational institution.
- Health administration and provision of patient care.
- Hospitality industry firms but excluding tour guides.
- Property management including the selling of land.
- Provision of financial services.
- Telecommunications network or service providers.
- Businesses that are wholly or mainly in direct marketing.
- Transport services firms (including online passenger hailing applications)
- Businesses that process genetic data.
This means that if yours is such an organisation, you are required to comply with the Data Protection Act, 2019.
Such compliance includes putting in place measures such as:
- developing, publishing and regularly updating a policy reflecting your personal data handling practices
- establishing personal data retention schedule with appropriate time limits
- designing technical and organisational measures to safeguard and implement data protection principles
among others.
The organisations are required to comply with the Act even if they have not registered as data controllers.
Violations of the Act may result in stiff penalties.
If you need assistance in putting in place relevant measures, please get in touch.