Contact

Publication of implementing regulations for data protection in Kenya

Back to top

Publication of implementing regulations for data protection in Kenya

On 14 January 2022, the Cabinet Secretary in the Ministry of Information, Technology, Innovation and Youth Affairs, published three sets of implementing regulations under the Data Protection Act 24 of 2019 (the DPA). These are: the Data Protection (General) Regulations, 2021 (the General Regulations); the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 (the Complaints and Enforcement Regulations); and the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 (the Registration Regulations), together referred to as “the Regulations”. 

21 Jan 2022 2 min read Technology, Media & Telecommunications Alert Article

At a glance

  • Three sets of implementing regulations under the Data Protection Act 24 of 2019 (DPA) were published on January 14, 2022, including the General Regulations, Complaints and Enforcement Regulations, and Registration Regulations.
  • The General Regulations focus on data subjects' rights, obligations of data controllers and processors, data protection by design or default, data protection impact assessments, transfer of personal data, notification of data breaches, and restrictions on commercial use of personal data.
  • The Complaints and Enforcement Regulations outline the procedure for lodging complaints with the Data Commissioner, enforcement and penalty notices, while the Registration Regulations specify the procedure and thresholds for registration of data controllers and processors with the Data Commissioner. The Regulations will come into force if not revoked within 28 days after referral to the House Committee on Delegated Legislation.

The Data Commissioner published the Regulations in draft form early last year for purposes of public participation, and subsequently received and compiled comments from the public for purposes of incorporation into the final versions of the Regulations.

The General Regulations are quite comprehensive and aim to give effect to the rights of data subjects and also to elucidate the obligations of data controllers and data processors under the DPA. The General Regulations also expound further on other salient features of the DPA including the implementation of data protection by design or by default, data protection impact assessments, the transfer of personal data outside Kenya, the notification of personal data breaches and the restrictions on the commercial use of personal data.

The Complaints and Enforcement Regulations set out the procedure for lodging complaints with the Data Commissioner and for the issuance and management of enforcement and penalty notices under the DPA. The Registration Regulations on the other hand set out the procedure and thresholds for registration of persons with the Data Commissioner in their capacity as data controllers and data processors.

The Regulations are required to be tabled before the National Assembly within a week of the publication date and to be subsequently referred to the House Committee on Delegated Legislation for scrutiny and possible revocation. If within 28 days from the date of such referral (or such other period as the National Assembly may approve) this committee shall not have not made a report recommending the revocation of the Regulations, then the Regulations will come into force. We are reviewing the contents of the Regulations and will issue a comprehensive legal alert in due course.

For more information on DPA, please watch our short video summary of the salient features of the Act here and to read our brief analysis of its extra territorial applicability here.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2025 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

28 Nov 2024

by Heinrich Louw and Petr Erasmus

Can SARS limit access to a taxpayer’s premises when carrying out an inspection?

Judgment was handed down in the case of Alliance Fuel (Pty) Ltd and Inspacial Properties (Pty) Ltd v Commissioner for the South African Revenue Service in the High Court on 15 October2024. 

Tax & Exchange Control

6 min read

30 Oct 2024

by Imraan Mahomed

Employment of illegal foreigners: What employers need to know

Imraan Mahomed, Director in the Employment Law practice joined Ashraf Garda on SAfm to discuss Employment of Illegal foreigners: What employers need to know.

Employment Law

06:44 Minutes

26 Aug 2024

by Sammy Ndolo, Njeri Wagacha and Brian Muchiri

Chambers and Partners' Fintech Global Practice Guides 2024

We are pleased to announce our contribution to Chambers and Partners' Fintech Global Practice Guides 2024.

Corporate & Commercial Law

1 min read

13 Nov 2024

by Alex Muchira and Yvonne Njuguna

Beneficial ownership information disclosure

Pursuant to Section 93A of the Kenyan Companies Act, 2015, every company is required to keep a register of its beneficial owners. To give effect to this amendment, the Government published the Companies Beneficial Ownership Information Regulations, 2020 (Regulations), which came into effect on 13 October 2020. Companies are hence required to update their beneficial ownership E-register.

Corporate & Commercial Law

5 min read

17 Oct 2024

by Andries le Grange and Nelisiwe Khumalo

Navigating merger waters: The Competition Commission’s final guidelines on indivisible transactions

On 4 October 2024, the Competition Commission (Commission) published its final guidelines on indivisible transactions (Guidelines). The Guidelines provide clarity on the Commission’s approach when determining whether two or more separate transactions should be notified as a single, indivisible transaction. The Guidelines aim to ensure that merger parties understand when they are required to notify mergers as a single indivisibletransaction. 

Firm News

3 min read

16 Jan 2025

by Chris Charter

Is South African merger control raining on private equity’s Dezemba

Chris Charter, Director and Practice Head in the Competition Law practice was recently featured in DealMakersSA - Catalyst Q3 2024 to discuss “Is South African merger control raining on private equity’s Dezemba?”

Competition Law

1 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline