Data Protection

The Data Protection Act, 2019 (the DPA or the Act) was passed in November 2019 to make provision for the regulation of the processing of personal data and the protection of the rights of data subjects. The DPA also outlines the guiding principles of data protection, the obligations of data controllers and data processors, provides for the transfer of personal data outside Kenya and provides data subjects with remedies if their rights are violated. The passing of the Act came in the wake of the operationalisation of the General Data Protection Regulation (GDPR) in May 2018. The GDPR is a European law with extra-territorial applicability and which regulates the processing of personal data belonging to data subjects in the European Union and the European Economic Area.

The DPA contains core rules and legal obligations that affect businesses across all sectors of commerce, technology and industry to the extent that their operations involve the handling of personal data. Such personal data would typically include names of natural persons, email and physical addresses, telephone numbers, date of birth and birthplace details, age, gender, national identification numbers etc. To this extent, all business operators fall under the definition of data controllers and/or data processors and are bound by the obligations in the Act.

Further, by virtue of being employers, businesses across all sectors also fall under the purview of the Act as holders and processors of employee related personal data which also must be processed in line with the Act.

Kenya has recently appointed its first Data Commissioner who will oversee the implementation of the DPA and ensure compliance by data processors and data controllers with the DPA.

For more information on Anjarwalla & Khanna’s data protection expertise, please contact Anne Kiunuhe, Sonal Sejpal and Wangui Kaniaru in Nairobi.

Representative matters include:

  • A&K has extensive experience in providing advice on data protection, privacy and security. Our team regularly provides innovative, solid and practical legal solutions to data, privacy and security-related concerns faced by clients. The team’s experience spans the full range of industry sectors, including consumer goods and retail, agriculture, pharmaceuticals, healthcare, telecommunications, banking and finance, insurance, real estate and construction, transport, hospitality, technology and media as well as the manufacturing and industrial sector.
  • The A&K data protection team has developed a clear understanding of the European Union General Data Protection Regulation as well as the Data Protection Act, 2019 and has advised various clients on the requirements under these statutes. The team is able to provide training, risk assessments, audit checks, compliance assistance and legal advice, having combined international best practices with on-the-ground experience and knowledge of various data protection laws and regulations across multiple jurisdictions.
  • The team is able to assist clients to understand and comply with the law as well as provide guidance on incident-based compliance issues such as reporting obligations concerning personal data breaches when necessary. Working together with the A&K Forensics, Investigations & Compliance department, the data protection team combines the necessary aspects of legal and compliance related changes to provide end-to-end solutions to clients, including carrying out assessments of personal data management systems/framework; identifying areas of non-compliance; recommending remedial measures to achieve compliance with DPA standards and providing assistance in the implementation of recommended measures.