Kenya's Data Protection Act: what SMEs actually need to do

The Data Protection Act, 2019 has been in force for long enough now that “we were not aware” is no longer a credible answer. Yet many Kenyan SMEs still treat compliance as a box to tick rather than a set of habits to build. Here is what actually matters.

What the Act asks of you

The Act is built around a handful of duties: collect personal data lawfully and for a clear purpose, keep it no longer than you need it, keep it secure, and respect the rights of the people it belongs to. If you handle the personal data of Kenyan residents — staff, customers, even newsletter subscribers — the Act applies.

The ODPC’s registration requirement

Most SMEs are required to register with the Office of the Data Protection Commissioner as either a data controller, data processor, or both. Registration is annual. It is not onerous, but missing it is the easiest compliance failure for a regulator to spot.

Where SMEs typically slip

Three patterns come up again and again:

1. No lawful basis for marketing. Sending promotional messages to a list you bought, or to customers whose consent does not cover marketing, is the single most common issue we see.
2. Outdated or missing privacy policies. A policy copied from a UK or US template rarely meets Kenyan requirements and often names the wrong regulator.
3. No data processing agreements. If you share personal data with a processor — a payroll provider, a CRM, a bulk SMS platform — you need a written agreement covering how they handle it.

A workable starting point

Begin with a one-page data map: what personal data you hold, why you hold it, where it lives, and who you share it with. From that, most of the rest follows — the policy you need to write, the agreements you need to sign, and the registration category you fall into.

This piece is general guidance, not legal advice on your specific matter. Get in touch if you would like us to look at your position.