The Data Commissioner published the Regulations in draft form early last year for purposes of public participation, and subsequently received and compiled comments from the public for purposes of incorporation into the final versions of the Regulations.
The General Regulations are quite comprehensive and aim to give effect to the rights of data subjects and also to elucidate the obligations of data controllers and data processors under the DPA. The General Regulations also expound further on other salient features of the DPA including the implementation of data protection by design or by default, data protection impact assessments, the transfer of personal data outside Kenya, the notification of personal data breaches and the restrictions on the commercial use of personal data.
The Complaints and Enforcement Regulations set out the procedure for lodging complaints with the Data Commissioner and for the issuance and management of enforcement and penalty notices under the DPA. The Registration Regulations on the other hand set out the procedure and thresholds for registration of persons with the Data Commissioner in their capacity as data controllers and data processors.
The Regulations are required to be tabled before the National Assembly within a week of the publication date and to be subsequently referred to the House Committee on Delegated Legislation for scrutiny and possible revocation. If within 28 days from the date of such referral (or such other period as the National Assembly may approve) this committee shall not have not made a report recommending the revocation of the Regulations, then the Regulations will come into force. We are reviewing the contents of the Regulations and will issue a comprehensive legal alert in due course.
For more information on DPA, please watch our short video summary of the salient features of the Act here and to read our brief analysis of its extra territorial applicability here.