Kenya’s ODPC Announces Stricter Data Protection Rules – What Data Controllers Must Know
The Office of the Data Protection Commissioner (ODPC) has issued critical determinations affecting data controllers in Kenya, reinforcing the country’s data protection framework under the Data Protection Act, 2019. The announcement, made on February 17, 2025, outlines compliance expectations and penalties for non-compliance, particularly for institutions handling personal and sensitive data.
Key Highlights of the Determinations
1. Mandatory Registration for Data Controllers
The ODPC has reaffirmed that all entities processing personal data must register as data controllers or processors. This requirement is particularly essential for sectors such as education, healthcare, finance, and telecommunications. Institutions that fail to comply with registration requirements will face legal and financial repercussions.
2. Strengthened Data Security Measures
In an effort to curb data breaches and misuse, the ODPC requires organizations to enhance their security frameworks. Data controllers must implement:
● Secure storage and encryption mechanisms.
● Access control measures to limit unauthorized data handling.
● Regular audits to assess compliance and mitigate risks.
3. Enforcement Actions for Non-Compliance
The ODPC has signaled strict enforcement against organizations that fail to adhere to the Data Protection Act. The penalties include:
● Fines and administrative sanctions.
● Revocation of data processing licenses.
● Legal action from affected data subjects.
These measures aim to ensure responsible data management practices and protect individuals from data misuse.
4. Rights of Data Subjects
The determinations emphasize the rights of data subjects, including:
3. The right to access and correct personal data.
● The right to be informed about data processing activities.
● The right to withdraw consent and request deletion of personal information.
Organizations are required to develop clear data handling policies and provide channels for individuals to exercise their rights effectively.
Steps for Compliance
To align with the ODPC’s latest determinations, data controllers should:
- Register with the ODPC as a data controller or processor.
- Review and update internal data protection policies to align with regulatory
expectations.
- Implement robust data security measures such as encryption and access controls.
- Train employees on data protection laws and best practices.
- Conduct regular audits to ensure ongoing compliance.
Conclusion
The ODPC’s recent determinations mark a significant step in reinforcing Kenya’s data protection landscape. Organizations handling personal data must prioritize compliance to avoid legal penalties and safeguard individuals’ privacy rights. As regulatory oversight strengthens, adherence to data protection standards will be crucial for maintaining trust and operational integrity.
For more insights pertaining to this matter, you can email us on info@mmsadvocates.co.ke. You can also find us at MMS Advocates, Lower Duplex Apartments, Lower Hill Road.