If your business collects customer names, phone numbers, emails, payment details, or any other personal information — even something as simple as a client sign-up form — Kenya’s Data Protection Act, 2019 likely applies to you. Many business owners assume this law only concerns large tech companies. It doesn’t.
Who Needs to Comply? Any entity that collects, processes, or stores personal data of individuals in Kenya — from a small e-commerce store to a law firm, hospital, SACCO, or HR department — falls under the Act’s scope as a “data controller” or “data processor.”
Key Obligations Under the Act
- Lawful basis for processing — you must have a valid reason (consent, contract, legal obligation, etc.) to collect and use personal data.
- Data subject rights — individuals have the right to know what data you hold about them, correct it, and in some cases request its deletion.
- Registration with the Data Commissioner — certain categories of data controllers and processors are required to register with the Office of the Data Protection Commissioner (ODPC).
- Data breach notification — businesses must notify the ODPC and affected individuals in the event of a data breach that risks harming those individuals.
- Cross-border data transfer rules — transferring personal data outside Kenya requires meeting specific safeguards.
Why This Matters More as AI Adoption Grows
As more businesses adopt AI tools — for customer service, marketing, HR screening, or data analysis — the volume and sensitivity of personal data being processed increases. This raises new compliance questions around automated decision-making, data minimization, and transparency that many businesses haven’t yet addressed.
The Cost of Non-Compliance
Beyond regulatory penalties, data protection failures damage client trust — often permanently. Compliance isn’t just a legal formality; it’s a business safeguard.
Our Advice Whether you’re just starting to collect customer data or scaling up your use of AI-driven tools, a compliance review now can save you significant risk later. Our AI & Data Protection Law practice can help you audit your current practices and build a compliant framework.
Not sure if your business is compliant? Contact CS Carlos Advocates for a data protection review.