21 January 2022 by Technology, Media & Telecommunications Alert

Publication of implementing regulations for data protection in Kenya

On 14 January 2022, the Cabinet Secretary in the Ministry of Information, Technology, Innovation and Youth Affairs, published three sets of implementing regulations under the Data Protection Act 24 of 2019 (the DPA). These are: the Data Protection (General) Regulations, 2021 (the General Regulations); the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 (the Complaints and Enforcement Regulations); and the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 (the Registration Regulations), together referred to as “the Regulations”. 

The Data Commissioner published the Regulations in draft form early last year for purposes of public participation, and subsequently received and compiled comments from the public for purposes of incorporation into the final versions of the Regulations.

The General Regulations are quite comprehensive and aim to give effect to the rights of data subjects and also to elucidate the obligations of data controllers and data processors under the DPA. The General Regulations also expound further on other salient features of the DPA including the implementation of data protection by design or by default, data protection impact assessments, the transfer of personal data outside Kenya, the notification of personal data breaches and the restrictions on the commercial use of personal data.

The Complaints and Enforcement Regulations set out the procedure for lodging complaints with the Data Commissioner and for the issuance and management of enforcement and penalty notices under the DPA. The Registration Regulations on the other hand set out the procedure and thresholds for registration of persons with the Data Commissioner in their capacity as data controllers and data processors.

The Regulations are required to be tabled before the National Assembly within a week of the publication date and to be subsequently referred to the House Committee on Delegated Legislation for scrutiny and possible revocation. If within 28 days from the date of such referral (or such other period as the National Assembly may approve) this committee shall not have not made a report recommending the revocation of the Regulations, then the Regulations will come into force. We are reviewing the contents of the Regulations and will issue a comprehensive legal alert in due course.

For more information on DPA, please watch our short video summary of the salient features of the Act here and to read our brief analysis of its extra territorial applicability here.

download PDF

The information and material published on this website is provided for general purposes only and does not constitute legal advice.

We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter.

We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages.

Please refer to the full terms and conditions on the website.

Copyright © 2022 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com

Related People

Related Expertise

You may also be interested in