Latest News

Data protection has become a critical concern for businesses and individuals alike. With the enactment of the Data Protection Act, 2019, Kenya has taken significant steps to regulate the processing of personal data.

If you are anywhere near working or providing services in the online space, there's no questionable doubt that you will need to have a data protection license. It's not only important to have one but it is actually required by law to have one.

In this guide, you will have a comprehensive understanding of data protection, the steps to obtain a license, and essential principles to comply with.

Table of Contents

1.How to Get a Data Protection License in Kenya

2. What Is Data Protection and What Is Its Purpose?

3. Who Needs a Data Protection License?

4. Steps to Register as a Data Controller or Processor

• Access the ODPC Portal
• Create an Account
• Complete the Registration Form
• Pay the Registration Fee
• Submit Your Application
• Receive Your Certificate

5. What If My Application Is Declined?

6. The Seven Principles of Data Protection

• Lawfulness, Fairness, and Transparency
• Purpose Limitation
• Data Minimization
• Accuracy
• Storage Limitation
• Integrity and Confidentiality (Security)
• Accountability

7. Frequently Asked Questions (FAQs)

• How Much Does It Cost to Register?
• What Are the Three Types of Data Protection?
• Who Needs to Appoint a DPO?
• How Much Do Data Protection Officers Make in Kenya?
• What If My Application Is Declined?
• Why Is Compliance Important?
• Need Help with Registration?

8. Conclusion.

What Is Data Protection and What Is Its Purpose?

Data protection refers to the laws, policies, and measures put in place to safeguard personal information. The primary objectives of Kenya’s Data Protection Act are to:

• Protect individuals’ privacy.
• Regulate the collection, storage, sharing, and use of personal data.
• Hold organizations accountable for data misuse or breaches.
• Build trust between entities and their customers.

Also check how you can register for SHIF in Kenya.

Who Needs a Data Protection License?

The law requires data controllers and data processors to register with the Office of the Data Protection Commissioner (ODPC) before engaging in any data processing activities.

• Data Controllers: Entities or individuals that determine why and how personal data is processed.
• Data Processors: Entities or individuals that process personal data on behalf of controllers.

Unless exempted, registration is mandatory for all data controllers and processors.
Also important: How to check CRB clearance in Kenya.

Steps to Register as a Data Controller or Processor

1. Access the ODPC Portal

• Visit the ODPC website and navigate to the E-Services tab.

2. Create an Account

• Register with a valid email address and create a strong password.
• Ensure the contact details are accurate and active.

3. Complete the Registration Form

The form requires:

• Contact details of the data controller or processor.
• Categories and purposes of personal data processed.
• Description of data subjects (e.g., customers, employees).
• Security protocols for data protection.
• Revenue/annual turnover details.
• Details of cross-border data transfers, if applicable.
• Information about your Data Protection Officer (DPO), if required.

4. Pay the Registration Fee

Fees depend on your organization’s size:

• SMEs: Ksh 4,000 annually.
• Large Organizations: Ksh 40,000 annually.

Payment methods accepted include Mpesa, EFT, credit/debit cards, and cheques.

5. Submit Your Application

• Submit the completed form and wait for feedback.
• The ODPC may request corrections or additional details.

6. Receive Your Certificate

• A certificate is issued within 14 days of approval.
• The certificate is valid for two years and must be renewed.

What If My Application Is Declined?

If declined, the ODPC will notify you within 21 days, stating the reasons. You can make corrections and reapply.

Do you have your Birth Certificate ready? If not, learn how to check if your birth certificate in Kenya i ready for collection in Kenya.

The Seven Principles of Data Protection

Kenya’s Data Protection Act enforces seven principles to ensure personal data is handled responsibly and securely.

1. Lawfulness, Fairness, and Transparency

• Data must be processed in accordance with the law.
• Individuals must be informed about how their data will be used.

2. Purpose Limitation

• Data should only be collected for specific, legitimate purposes.
• Reusing data for unrelated purposes requires additional consent.

3. Data Minimization

• Collect only the data necessary for the stated purpose.

4. Accuracy

• Personal data must be accurate and up to date.
• Organizations should provide mechanisms for individuals to correct their data.

5. Storage Limitation

• Data should not be kept longer than necessary.
• After use, data must be securely deleted or anonymized.

6. Integrity and Confidentiality (Security)

• Protect data from unauthorized access, loss, or breaches through robust security measures such as encryption and regular audits.

7. Accountability

• Maintain records of processing activities.
• Appoint a Data Protection Officer (DPO) where required.
• Regularly review and update data protection policies.

Frequently Asked Questions (FAQs)

1. How Much Does It Cost to Register?

• SMEs: Ksh 4,000 annually.
• Large organizations: Ksh 40,000 annually.

2. What Are the Three Types of Data Protection?

1. Physical Protection: Safeguarding physical storage systems.
2. Technical Protection: Using encryption and secure networks.
3. Administrative Protection: Policies, training, and appointing a DPO.

3. Who Needs to Appoint a DPO?

Organizations processing large volumes of sensitive data or those involved in high-risk processing activities must appoint a DPO.

4. How Much Do Data Protection Officers Make in Kenya?

• Entry-level: Ksh 80,000–150,000 per month.
• Experienced: Ksh 200,000–400,000 per month.
• Senior roles: Over Ksh 500,000 in large organizations.

5. What If My Application Is Declined?

You can correct any errors and resubmit your application for reevaluation.

Why Is Compliance Important?

1. Avoid Legal Penalties: Non-compliance can lead to fines and reputational damage.
2. Build Customer Trust: Demonstrate accountability and transparency.
3. Enhance Operational Efficiency: Proper data management reduces risks.

Conclusion

Securing a Data Protection License is a crucial step for organizations handling personal data in Kenya. Compliance with the Data Protection Act safeguards operations, builds trust, and ensures legal accountability.

By understanding and implementing the Act’s seven principles, organizations can establish responsible data practices and avoid legal repercussions.

Start your compliance journey today and protect your business's future! Contact us for any support needed.