Business

The Kenya Data Protection Act Explained for SMEs

A professional focused on a laptop displaying subtle, data visualisations on a laptop, posture with hands engaged on the keyboard, in an office with  large floor-to-ceiling window in the background revealing , warm natural daylight.
By Edwin

The Kenya Data Protection Act Explained for SMEs

Small and medium enterprises in Kenya are sitting on more customer data than ever before, yet fewer than 3 in 10 have taken concrete steps to comply with the law that governs it. The Kenya Data Protection Act (No. 24 of 2019) is not a concern reserved for large corporations or tech firms. It applies to any organisation that collects, stores, or processes personal data, which means your restaurant, law firm, online shop, or logistics company is squarely within its scope.

Understanding the Kenya Data Protection Act is now a business-critical requirement. Failure to comply carries penalties of up to KES 5 million or imprisonment, and the reputational cost of a data breach can be even steeper. At Skyfalke, we work with SMEs across Kenya and East Africa to build data governance frameworks that are practical, scalable, and fully aligned with local regulatory requirements. This article breaks down everything you need to know, in plain language, so your business can act with confidence.

What Is the Kenya Data Protection Act and Who Does It Apply To?

The Kenya Data Protection Act, enacted in November 2019 and operationalised through subsequent regulations in 2021, establishes a legal framework for the collection, use, storage, and sharing of personal data. It was modelled in part on the European Union's General Data Protection Regulation (GDPR) and is administered by the Office of the Data Protection Commissioner (ODPC).

Personal data, under the Act, means any information that can identify a natural person, directly or indirectly. This includes names, ID numbers, phone numbers, email addresses, location data, health records, and even IP addresses.

The Act applies to:

  • Any person or organisation that processes personal data in Kenya

  • Any organisation outside Kenya that processes data of Kenyan residents

  • Both automated and manual data processing systems

For SMEs, this means that if you have a customer database, a mailing list, an e-commerce checkout, or even a paper-based registration form, you are a data controller or data processor under the law.

According to the Kenya National Bureau of Statistics, SMEs account for over 98% of all businesses in Kenya and contribute approximately 30% of GDP. The ODPC has made clear that SME size does not reduce legal obligation, only the complexity of the compliance framework required.

Recommended Watch: Understanding the Kenya Data Protection Act 2019: A Plain Language Guide This explainer breaks down the core obligations of the Act in accessible terms, ideal for business owners new to data compliance.

Core Principles Every SME Must Follow Under the Act

The Kenya Data Protection Act is built around eight foundational data protection principles. These are not guidelines; they are legal obligations. Understanding them is the starting point for any compliance strategy.

The eight principles require that personal data must be:

  1. Collected for a specific, explicit, and legitimate purpose

  2. Used only for the purpose it was collected

  3. Adequate, relevant, and not excessive relative to its purpose

  4. Accurate and kept up to date

  5. Retained only for as long as necessary

  6. Processed lawfully, fairly, and in a transparent manner

  7. Kept secure against loss, unauthorised access, or disclosure

  8. Not transferred to countries without adequate data protection laws

What "Lawful Basis" Means for SMEs

Before collecting any personal data, your business must have a lawful basis for doing so. The Act recognises several bases, including: consent, contractual necessity, legal obligation, and legitimate interest.

Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and implied consent do not meet this standard. If your current signup forms use any of these, they need revision.

Data Minimisation in Practice

Many SMEs collect more data than they use, often out of habit or because their systems were not designed with intent. Data minimisation requires you to collect only what is strictly necessary. Audit your intake forms, CRM fields, and checkout flows to remove any fields that do not serve a documented purpose.

Key Obligations for SMEs: Registration, Notices, and Consent

Beyond following the principles, the Act places specific procedural obligations on data controllers and processors. These are the steps your business needs to take, not just the values it needs to hold.

Registration with the ODPC

Data controllers and processors in Kenya are required to register with the Office of the Data Protection Commissioner. Registration is done via the ODPC's online portal and requires you to describe the categories of data you process, the purposes of processing, and your data security measures.

Failure to register is itself a violation of the Act, independent of any data breach or misuse.

Privacy Notices

Your business must provide a privacy notice to data subjects at the point of collection. This notice must state: who you are, what data you collect, why you collect it, how long you will keep it, who you share it with, and what rights the data subject has.

A privacy notice is not a legal formality to bury in a footer. It is an active communication obligation. If your website does not have a compliant privacy policy, that is a gap that needs immediate attention.

Consent Management

If consent is your lawful basis, you must be able to demonstrate that consent was obtained, when, and for what specific purpose. Invest in a consent management system or, at minimum, a dated log of how and when customers opted in.

Skyfalke's business tools and process automation services include consent management workflows that integrate directly with your CRM or website, making compliance operationally seamless rather than administratively burdensome.

Data Subject Rights: What Your Customers Can Legally Demand

One of the most practically significant parts of the Kenya Data Protection Act is the set of rights it grants to individuals whose data you hold. These rights are enforceable, and your business must have processes in place to respond to them.

Data subjects in Kenya have the right to:

  • Access: Request a copy of any personal data you hold on them

  • Rectification: Request correction of inaccurate or incomplete data

  • Erasure: Request deletion of their data, subject to certain conditions

  • Objection: Object to processing based on legitimate interest or direct marketing

  • Restriction: Request that processing be limited in specific circumstances

  • Portability: Receive their data in a structured, commonly used format

  • Not be subject to automated decision-making without human intervention

How to Build a Rights Request Process

SMEs often lack a formal channel for handling data subject requests. The Act requires you to respond within a reasonable time, and the ODPC has signalled that delays or refusals without justification will attract enforcement action.

At a minimum, your business needs: a designated contact point (an email address or web form) for receiving requests, a documented internal process for verifying identity and responding, and a log of all requests received and actions taken.

This does not have to be complex. For many SMEs, a well-structured Google Form linked to a simple spreadsheet tracker is an adequate starting point. What matters is that the process exists and is followed consistently.

Data Security and Breach Notification: Your Obligations When Things Go Wrong

The Act does not assume your business will never experience a data breach. It does, however, require that when a breach occurs, you respond appropriately and quickly.

Data Security Requirements

Organisations must implement appropriate technical and organisational measures to protect personal data. For SMEs, this translates into practical steps:

  • Encrypt sensitive data at rest and in transit

  • Use strong, unique passwords and multi-factor authentication across all systems

  • Restrict access to personal data on a need-to-know basis

  • Conduct regular vulnerability assessments of your IT infrastructure

  • Back up data securely and test your recovery process

Skyfalke's cloud modernisation and data platform services are specifically designed to help Kenyan businesses build security-first digital infrastructure. Our team assesses your current environment, identifies vulnerabilities, and implements solutions that keep you compliant without disrupting operations.

For reference, the International Organisation for Standardisation (ISO 27001) (add rel="noopener noreferrer" target="_blank" on implementation) provides the globally recognised benchmark for information security management, and many ODPC guidelines align with its principles.

Breach Notification

If a breach is likely to result in risk to the rights and freedoms of data subjects, you are legally required to notify the ODPC without undue delay. Affected individuals must also be notified where the breach is likely to result in a high risk to them.

Documenting the nature of the breach, the categories of data affected, the number of individuals impacted, and the remedial actions taken is both a legal and a practical necessity.

Penalties, Enforcement, and What the ODPC Is Watching

The Office of the Data Protection Commissioner has been increasingly active since the Act came into force. Businesses that assume enforcement is theoretical have not been watching the landscape closely.

Under the Act, penalties for violations can reach:

  • KES 3 million or 0.5% of annual turnover for a first offence

  • KES 5 million or 1% of annual turnover for subsequent offences

  • Criminal liability for directors and officers in cases of wilful violation

The ODPC has powers to investigate complaints, conduct audits, issue enforcement notices, and impose administrative fines. Complaints can be filed by any data subject, and the ODPC has signalled that consumer-facing businesses, including e-commerce platforms, financial services providers, and healthcare operators, are priority sectors for scrutiny.

According to the Africa Data Privacy Law Review published by OneTrust DataGuidance, Kenya's enforcement trajectory is following a pattern seen in South Africa and Rwanda, with regulatory activity intensifying as institutional capacity grows.

Compliance is not a one-time project. It requires ongoing attention, especially as your business evolves, new data sources are added, or third-party vendors change. If you are unsure where your business currently stands, Skyfalke's ICT strategy and compliance advisory service is a structured starting point.

A Practical Kenya Data Protection Act Compliance Roadmap for SMEs

Compliance does not require a legal team or an enterprise-grade budget. It requires a structured approach and consistent follow-through. Here is a step-by-step roadmap designed specifically for SMEs:

  1. Conduct a data audit. Map all personal data your business collects, where it is stored, who has access, and what it is used for. This is your data inventory.

  2. Register with the ODPC. Complete your registration via the ODPC portal. Gather details about your data processing activities before you begin.

  3. Update or create your privacy notice. Ensure it is written in plain language, posted prominently on your website, and provided at every point of data collection.

  4. Review and update consent mechanisms. Replace implied or bundled consent with explicit, documented consent flows.

  5. Appoint a data protection point of contact. This does not have to be a full-time Data Protection Officer for most SMEs, but someone must own this function.

  6. Train your team. Everyone who handles personal data needs to understand the basics of the Act and your internal procedures.

  7. Implement technical safeguards. Encryption, access controls, and secure backup are non-negotiable baselines.

  8. Create a breach response plan. Know what you will do and who will do it if a breach occurs.

  9. Review annually. Set a fixed date each year to review your compliance posture, update records, and address any gaps.

For a deeper dive into how Skyfalke has helped businesses build compliant digital environments, explore our case studies, including our work with Mwangi Kinyanjui Advocates, where we helped a Kenyan legal firm establish a robust digital infrastructure aligned with professional data governance standards.

Organized office workspace with a professional reviewing business data and reports
Completing a structured data audit is the foundation of Kenya Data Protection Act compliance. Skyfalke supports SMEs through every stage of the process.

Frequently Asked Questions About the Kenya Data Protection Act

Does the Kenya Data Protection Act apply to my small business?

Yes. The Act applies to any individual or organisation that collects or processes personal data in Kenya, regardless of business size. If your SME has a customer list, email newsletter, point-of-sale system, or website contact form, you are covered by the Act and required to comply with its provisions.

What is the ODPC and what does it do?

The Office of the Data Protection Commissioner is the independent regulatory body responsible for administering and enforcing the Kenya Data Protection Act. It registers data controllers and processors, investigates complaints from data subjects, conducts audits, issues guidelines, and imposes penalties for non-compliance.

Do I need to register with the ODPC even if I am a sole trader?

Registration requirements apply to data controllers and processors. If your sole trading business collects personal data from customers, suppliers, or employees, you are likely required to register. Skyfalke recommends seeking clarification from a qualified data protection advisor or consulting the ODPC's official guidance to confirm your obligation based on your specific activities.

What should I do if a customer asks to delete their data?

You are required to respond to erasure requests. Review whether you have a lawful ground to retain the data, such as a contractual or legal obligation. If no such ground exists, delete the data and confirm this to the customer in writing. Keep a log of the request and your response. The process must be completed without undue delay.

What are the biggest compliance mistakes Kenyan SMEs make?

The most common errors include: collecting data without a clear purpose, using consent language that does not meet the Act's standards, failing to register with the ODPC, having no privacy notice on a public-facing website, and lacking any documented process for responding to data subject requests. All of these are addressable with the right guidance. Skyfalke's digital capabilities team works with businesses to identify and close these gaps efficiently.

Can I be held personally liable as a business owner for data protection violations?

Yes. The Act provides for personal criminal liability for directors, officers, and employees who participate in wilful or negligent violations. This makes data protection a board-level concern, not just an IT matter. Establishing clear accountability within your business is an essential part of your compliance framework.

Conclusion

The Kenya Data Protection Act sets a clear standard for how businesses must handle personal data, and for SMEs, the path to compliance is more accessible than most assume. The steps are structured and logical: audit your data, register with the ODPC, update your consent and privacy practices, secure your systems, and create accountable internal processes.

What separates businesses that comply confidently from those that remain exposed is not budget or company size; it is having the right guidance and implementation support from the outset. Skyfalke is Kenya's trusted partner for businesses building compliant, data-secure digital operations. From technical infrastructure to content strategy and regulatory alignment, our team brings the expertise your SME needs to operate with integrity and legal confidence.

Schedule a free consultation with Skyfalke and take the first step toward Kenya Data Protection Act compliance today..


About Edwin

Project Lead.

Edwin wears the hat of Product Lead and web technologist, with focus on building and sustaining the digital systems that keep businesses running. At Skyfalke, he works across product development and infrastructure, turning ideas into live offerings and keeping them working long after launch. Through his writing, he explores practical technology, cloud services and what it really takes for small and growing businesses to thrive in a digital-first world.


He has over four years of hands-on experience across NGO, agencies and a startup. Outside of tech, Edwin  is a trained photographer and writer, skills that sharpen how he communicates and how he builds. He works by one principle: Do My Honest Part.

Tags:

#Complliance#Data Protection

Comments

0/2000

No comments yet. Be the first to share your thoughts!

Newsletter

Stay Updated

Subscribe to our newsletter and never miss the latest insights from Skyfalke.

The Kenya Data Protection Act Explained for SMEs