Why this law matters to ordinary businesses
Many Kenyan business owners assume data protection is a concern for banks and tech giants. It is not. The Data Protection Act governs how any business handles personal data, and almost every business holds it - customer phone numbers, ID copies, M-Pesa details, employee records, patient files.
The moment you collect information that identifies a person, you are within the scope of the Act and you have duties. Treating it as someone else's problem is the first and most common mistake. Understanding the basics is now part of running a legitimate business in Kenya.
The core principles you must follow
The Act is built on a set of sensible principles that translate into everyday practice.
- Lawfulness: have a legitimate basis, such as consent or contract, to collect data.
- Purpose limitation: use data only for the reason you collected it.
- Data minimisation: collect only what you actually need.
- Accuracy: keep personal data correct and up to date.
- Storage limitation: do not keep data longer than necessary.
- Security: protect data against loss, theft and unauthorised access.
The rights of the people whose data you hold
The Act gives individuals real rights over their own information, and your business must be able to honour them. People can ask what data you hold about them, request corrections to inaccurate information, and in certain circumstances object to how their data is used or ask for it to be deleted.
Honouring these rights is not just goodwill - it is a legal expectation. Practically, it means your systems must be able to locate a specific person's data and act on it. If customer information is scattered across notebooks, spreadsheets and chat threads, you cannot realistically respond to a request, which itself signals a compliance gap.
Security and breach obligations
Keeping personal data secure is a central duty, not an optional extra. That means controlling who can access data, protecting it technically, and having a plan for when something goes wrong. Where a breach occurs and poses a risk to people, the Act expects notification to the regulator and, where appropriate, to those affected within the required timeframe.
The takeaway is that security and privacy are linked: you cannot claim to protect people's data if anyone can access it or if a leak goes unreported. Building reasonable security into how you store data is how you meet this obligation before a breach ever happens.
The role of the ODPC and registration
The Office of the Data Protection Commissioner (ODPC) oversees and enforces the Act. Depending on what your business does with personal data, you may be required to register as a data controller or data processor, and you may need to appoint someone responsible for data protection.
Because thresholds, registration requirements and enforcement practices evolve, treat any specific rule as something to confirm against current ODPC guidance rather than assume. What is constant is that a regulator exists, it can act, and non-compliance carries real consequences - so engaging with your obligations early is far wiser than waiting to be asked.
Turning compliance into good practice
The most reassuring thing about the Act is that complying with it largely overlaps with running a well-organised, trustworthy business. Know what data you hold and why. Collect only what you need. Store it in systems that control access and can retrieve a person's records. Keep it secure. Have a plan if something goes wrong.
Do those things and you are most of the way there. The businesses that struggle are those with data scattered everywhere, no idea what they hold, and no way to secure or retrieve it. Good systems make compliance a by-product rather than a burden.
How Upeosoft builds privacy-ready systems
We build software with data protection in mind: controlled access so only the right people see personal data, structured storage so you actually know what you hold and can retrieve a person's records, security by design, and audit trails that show how data has been used.
We help you move customer and staff data out of scattered spreadsheets and chats into systems you can actually govern. If you want your business to be genuinely privacy-ready rather than exposed, talk to Upeosoft about building systems that respect the Data Protection Act by design.
