Enforcement of the Data Protection Act Draft Regulations

The Data Protection Act Draft Regulations include the Data Protection (General) Regulations, 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. The Regulations will come into effect after the lapse of a period of 28 days from the date of gazettement.

•  The Data Protection (General) Regulations, 2021

These regulations contain provisions on various aspects related to data subjects such as various nuances related to the collection of data processing consent, restrictions on the commercial use of data, the obligations of both data controllers and data processors, the elements of implementation of data protection by design or by default, personal data breach notifications, data transfers outside the Republic of Kenya and data protection impact assessments. The General Regulations further provide exemptions under the Data Protection Act, 2019.

• Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 

Any data subject or any other person that is aggrieved by a matter under the Data Protection Act may lodge a complaint with the Data Commissioner through filing out form DPC 1 provided under the Regulations. However, the same may also be lodged orally or through electronic means which include an email, web posting, complaint management system or also through any other appropriate means. Complaints may be lodged by a complainant in person, their representatives, any other person authorized under the law to act on behalf of the data subject. Complaints may also be lodged anonymously. Complaints to be acknowledged within 7 days, responses filed within 21 days and a notification for a determination rendered within 7 days thereafter.

• Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 

These Regulations provide the procedure for registration of data controllers and processors which shall come into effect six (6) months from the date of their publication. These regulations do not apply to civil registration entities as specified under the Data Protection (Civil Registration) Regulations.

Every data controller and data processor shall be required to register in accordance with the provisions of the Act and these Regulations. A data controller may apply for registration as both a data controller and a data processor with regards to any processing operations and shall be required to pay the requisite fees applicable for both a data controller and a data processor thereto.