Draft Guidance Notes by the Officer of the Data Protection Commissioner

The draft Guidance Notes issued by the Office of the Data Protection Commissioner (ODPC) provide crucial regulatory clarity for various sectors (Children’s data, Public Sector, Historical and Statistical Purposes, MSMEs, Publication of photographs, Research data, Biometric data and Journalistic and artistic purposes) on compliance with Kenya’s Data Protection Act, 2019.

These guidelines outline obligations for data controllers and processors, emphasizing lawful processing, accountability, and safeguarding individuals’ privacy rights.

Affected stakeholders include businesses, MSMEs, government agencies, nonprofits, media companies, researchers and technology service providers—all of whom must align their operations with the ODPC’s standards to ensure transparency, mitigate risks of non-compliance, and foster trust in Kenya’s digital economy.

Common Features across the Guidance Notes

• Central Role of the ODPC: outlines the establishment, mandate, and vital role of the Office of the Data Protection Commissioner (ODPC) as the regulatory body responsible for enforcing data protection laws, safeguarding privacy, investigating breaches, and promoting public awareness. The ODPC is positioned as a key facilitator of the government’s digital transformation initiatives.
• Adherence to Data Protection Principles: A consistent theme is the mandatory application of core data protection principles derived from Section 25 of the Data Protection Act. These include Lawfulness, Fairness & Transparency, Purpose Limitation, Data Minimization, Storage Limitation, Integrity & Confidentiality and Accountability.

• Emphasis on Lawful Bases for Processing: The guidance notes detail the various lawful bases (e.g., consent, contract performance, legal obligation, vital interest, public interest, legitimate interest, public authority task) that data controllers and processors can rely on for processing personal data. Consent is consistently defined as requiring explicit, informed, free, and specific affirmative indication to data processing.

• Protection of Data Subject Rights: A core commonality is the comprehensive outlining of data subjects’ rights, including the right to be informed, access, rectification, objection, non-submission to automated decision-making, erasure, and data portability. Organizations are obligated to facilitate the exercise of these rights.
• Key Compliance Obligations: Beyond principles and rights, several practical obligations appear in nearly every note.

These include;

1. Registration with the ODPC as a Data Controller or Processor
2. Privacy by Design and Default: Advocating for embedding privacy measures from the initial design phase of systems and processes.
3. Data Protection Impact Assessments (DPIAs): Required for high-risk processing activities to identify and mitigate risks.
4. Data Breach Notification: Obligation to report personal data breaches to the ODPC within 72 hours and to affected data subjects where appropriate.
5. Engagement of Data Processors: Stipulating the need for written contracts and due diligence when outsourcing data processing to third parties.
6. Duty to Notify (Privacy Notices): Requiring data handlers to provide clear, concise, and accessible information about data processing practices to data subjects.

Key Implications

• Standardization of Data Protection Practices: The overarching goal is to standardize data protection practices across diverse sectors, from government agencies to small businesses and specialized fields like media and research. This ensures a more consistent and robust privacy landscape nationwide, reducing ambiguity and promoting a shared understanding of obligations.
• Increased compliance burden for organizations: All entities handling personal data will face a heightened compliance burden. This necessitates significant investment in policies, procedures & data governance standards structures, technological infrastructure and training & awareness.
• Increased Compliance Burden for Organizations: All entities handling personal data will face a heightened compliance burden. This necessitates significant investment in policies, procedures & data governance standards structures, technological infrastructure and training & awareness.
• Empowerment of Data Subjects: The explicit enumeration and consistent emphasis on data subject rights empower individuals with greater control and transparency over their personal information. This will likely lead to an increase in data subject requests (e.g., for access or erasure) and a higher expectation of accountability from organizations.
• Proactive Risk Management: The mandatory nature of “Privacy by Design and Default” and Data Protection Impact Assessments (DPIAs) shifts the focus from reactive damage control to proactive risk identification and mitigation. This encourages organizations to integrate privacy considerations from the very outset of any new system, service, or product development, potentially saving costs and reputational damage in the long run.
• Stricter Handling of Sensitive Data and Vulnerable Groups: Entities processing sensitive personal data (like biometric data) or data belonging to vulnerable groups (like children) will face more rigorous requirements, including heightened consent standards and specialized safeguards. This acknowledges the greater potential for harm in these contexts and aims to provide enhanced protection.
• Enhanced Accountability and Oversight: The ODPC’s mandate to monitor compliance, investigate breaches, and impose sanctions, coupled with the detailed compliance checklists provided, signals a serious intent to enforce the Data Protection Act. Organizations will need to maintain meticulous records of their data processing activities to demonstrate accountability. Non-compliance could result in significant penalties and reputational harm.
• Sector-Specific Nuances: While the core principles are universal, the guidance notes acknowledge and address sector-specific considerations and existing legislation (e.g., Media Council Act for journalists, Children’s Act for minors, Micro and Small Enterprises Act for MSMEs). This implies that a tailored, context-aware approach to data protection implementation will be necessary for different types of organizations.