data protection and compliance in kenya — turn the odpc from a risk into your competitive advantage

Every organisation that processes personal data in Kenya is required to register with the Office of the Data Protection Commissioner as a data controller, a data processor, or both. Failure to register can result in fines of up to KES 5 million or 1% of annual turnover, whichever is higher.

We handle the entire registration process. That means determining whether your organisation qualifies as a data controller, data processor, or both, preparing and submitting your ODPC registration application, drafting or reviewing your data processing records, and advising on your ongoing obligations including breach notification timelines. For international organisations operating in Kenya, we also advise on cross-border data transfer requirements and the adequacy framework under the Data Protection Act 2019.

Registration is the starting point, not the finish line. We stay with you through the compliance cycle.

Before undertaking high-risk data processing activities, organisations are required to conduct a Data Protection Impact Assessment and, in certain cases, notify the ODPC before proceeding. High-risk activities include processing sensitive personal data at scale, introducing surveillance or monitoring systems, and implementing automated decision-making processes that affect individuals.

We conduct comprehensive DPIAs across all sectors, with particular depth in healthcare, fintech, edtech, and digital platforms. Our assessments identify actual risks rather than theoretical ones, and every recommendation we make is practical and implementable within your existing operations, not a compliance checklist that sits in a drawer.

Not every organisation is required to appoint a Data Protection Officer, but those that are must designate someone with genuine expertise, independence, and the legal knowledge to do the role properly. Most organisations do not have that capacity sitting internally, and appointing the wrong person creates more risk than it resolves.

We offer outsourced DPO services on a retained basis, acting as your organisation’s DPO with the independence, expertise, and regulatory standing the law requires. Your outsourced DPO will maintain your compliance calendar, advise your team on day-to-day data protection queries, liaise with the ODPC on your behalf, and manage breach notification procedures when they arise.

Data protection compliance is not just about legal documents. It is about operational culture. A privacy policy that nobody reads, or a data retention policy that nobody follows, offers no real protection when the ODPC comes knocking.

We draft privacy policies that are legally compliant and written to be understood, data processing agreements for vendor relationships, incident management policies, data retention and deletion policies, and access control procedures. We also design and deliver staff training programmes tailored to your sector and your team’s level of technical knowledge. Our training is built for genuine understanding, not box-ticking, because the weakest point in most data protection frameworks is not the policy document. It is the person who never read it.

When a personal data breach occurs, you have 72 hours to notify the ODPC if the breach poses a risk to data subjects’ rights and freedoms. How you respond in those 72 hours will shape both your legal liability and your reputational outcome.

We provide rapid-response data breach support from the moment you discover an incident. That means breach assessment and risk classification, notification drafting for the ODPC and affected data subjects, coordination with your technical team on containment and remediation, representation before the ODPC in any subsequent investigation, and post-breach legal analysis to close the gaps that allowed the breach to happen in the first place.

Seventy-two hours moves fast. We help you use them well.