Nairobi, June 2025 — With the increasing digitization of services and a growing emphasis on privacy rights, Kenya’s data protection regime has come into sharp focus. In our latest legal review, Karanu Kanai & Co. Advocates provides critical insights into the current landscape, recent developments, and what businesses must do to stay compliant.
A Growing Regulatory Framework
Since the enactment of the Data Protection Act, 2019, Kenya has taken major steps to align with global data privacy norms, including the GDPR. The Office of the Data Protection Commissioner (ODPC) has issued key guidance, conducted high-profile audits, and enforced penalties for non-compliance, signaling a shift from awareness to enforcement.
Our legal review found that:
- Data Controllers and Processors must now be registered with the ODPC.
- Consent management is under increased scrutiny, with specific requirements for transparency, purpose limitation, and withdrawal mechanisms.
- Cross-border data transfers require additional safeguards and justification.
- Data Subject Rights, including access, correction, and erasure, are enforceable and must be supported by internal processes.
Compliance Challenges & Risks
Many businesses, especially SMEs and organizations in the financial, healthcare, and tech sectors, still face challenges in interpreting and implementing compliance measures. Key risks include:
- Inadequate data governance policies
- Lack of data breach response plans
- Improper handling of employee or customer data
- Use of third-party tools without proper data processing agreements
Legal Advisory and Risk Mitigation
At Karanu Kanai & Co. Advocates, we are advising clients on:
- Conducting Data Protection Impact Assessments (DPIAs)
- Drafting and reviewing privacy notices, internal data policies, and third-party contracts
- Representing clients in audits and regulatory investigations by the ODPC
- Training staff on data protection obligations
As our review notes, proactive compliance is not just a legal requirement — it builds customer trust, protects brand reputation, and reduces the risk of costly penalties.
Looking Ahead
With anticipated updates to sector-specific data guidelines (especially in health and finance), and growing consumer awareness, organizations must move beyond minimum compliance to adopt a privacy-by-design approach.
We recommend a phased roadmap for organizations:
- Audit current data practices
- Appoint a Data Protection Officer (DPO) where applicable
- Develop and implement internal privacy frameworks
- Engage legal counsel for regulatory alignment and risk mitigation
Final Thoughts
Kenya’s data protection regime is maturing, and enforcement will only intensify. Our firm remains committed to helping clients navigate this evolving space with clarity, confidence, and compliance. Businesses that act early and decisively will not only stay ahead of regulatory changes but also gain a competitive edge in a privacy-conscious marketplace.
About Karanu Kanai & Co. Advocates
Karanu Kanai & Co. Advocates is a full-service law firm with recognized expertise in regulatory compliance, commercial transactions, and emerging areas such as data protection and digital law.
Contact Us
For tailored legal support on data protection compliance, contact our regulatory advisory team at:
📧 info@karanukanai.co.ke
