Skip to content

The Kenya Data Protection Act: What Every Business Must Know

The Data Protection Act governs how Kenyan businesses collect and use personal data. It is not just for big tech - any business holding customer details has obligations.

By Karani Geoffrey, Founder & CEO, Upeosoft
In short

The Kenya Data Protection Act governs how businesses collect, store and use personal data. It requires you to have a lawful reason to collect data, use it only for that purpose, keep it secure, and respect people's rights over their own information. It applies to any business holding customer or staff data, overseen by the Office of the Data Protection Commissioner.

Key takeaways
  • The Act applies to any business that collects personal data - not only large or tech companies.
  • You need a lawful basis to collect data and must use it only for the stated purpose.
  • People have rights over their data, including access, correction and objection.
  • You must keep personal data secure and report certain breaches.
  • The Office of the Data Protection Commissioner (ODPC) oversees and enforces the Act.
  • Registration as a data controller or processor may be required depending on your activities.

Why this law matters to ordinary businesses

Many Kenyan business owners assume data protection is a concern for banks and tech giants. It is not. The Data Protection Act governs how any business handles personal data, and almost every business holds it - customer phone numbers, ID copies, M-Pesa details, employee records, patient files.

The moment you collect information that identifies a person, you are within the scope of the Act and you have duties. Treating it as someone else's problem is the first and most common mistake. Understanding the basics is now part of running a legitimate business in Kenya.

The core principles you must follow

The Act is built on a set of sensible principles that translate into everyday practice.

  • Lawfulness: have a legitimate basis, such as consent or contract, to collect data.
  • Purpose limitation: use data only for the reason you collected it.
  • Data minimisation: collect only what you actually need.
  • Accuracy: keep personal data correct and up to date.
  • Storage limitation: do not keep data longer than necessary.
  • Security: protect data against loss, theft and unauthorised access.

The rights of the people whose data you hold

The Act gives individuals real rights over their own information, and your business must be able to honour them. People can ask what data you hold about them, request corrections to inaccurate information, and in certain circumstances object to how their data is used or ask for it to be deleted.

Honouring these rights is not just goodwill - it is a legal expectation. Practically, it means your systems must be able to locate a specific person's data and act on it. If customer information is scattered across notebooks, spreadsheets and chat threads, you cannot realistically respond to a request, which itself signals a compliance gap.

Security and breach obligations

Keeping personal data secure is a central duty, not an optional extra. That means controlling who can access data, protecting it technically, and having a plan for when something goes wrong. Where a breach occurs and poses a risk to people, the Act expects notification to the regulator and, where appropriate, to those affected within the required timeframe.

The takeaway is that security and privacy are linked: you cannot claim to protect people's data if anyone can access it or if a leak goes unreported. Building reasonable security into how you store data is how you meet this obligation before a breach ever happens.

The role of the ODPC and registration

The Office of the Data Protection Commissioner (ODPC) oversees and enforces the Act. Depending on what your business does with personal data, you may be required to register as a data controller or data processor, and you may need to appoint someone responsible for data protection.

Because thresholds, registration requirements and enforcement practices evolve, treat any specific rule as something to confirm against current ODPC guidance rather than assume. What is constant is that a regulator exists, it can act, and non-compliance carries real consequences - so engaging with your obligations early is far wiser than waiting to be asked.

Turning compliance into good practice

The most reassuring thing about the Act is that complying with it largely overlaps with running a well-organised, trustworthy business. Know what data you hold and why. Collect only what you need. Store it in systems that control access and can retrieve a person's records. Keep it secure. Have a plan if something goes wrong.

Do those things and you are most of the way there. The businesses that struggle are those with data scattered everywhere, no idea what they hold, and no way to secure or retrieve it. Good systems make compliance a by-product rather than a burden.

How Upeosoft builds privacy-ready systems

We build software with data protection in mind: controlled access so only the right people see personal data, structured storage so you actually know what you hold and can retrieve a person's records, security by design, and audit trails that show how data has been used.

We help you move customer and staff data out of scattered spreadsheets and chats into systems you can actually govern. If you want your business to be genuinely privacy-ready rather than exposed, talk to Upeosoft about building systems that respect the Data Protection Act by design.

Frequently asked questions

Does the Data Protection Act apply to my small business?

Very likely yes. The Act applies to businesses that collect and process personal data - names, phone numbers, ID details, M-Pesa numbers, health records - regardless of size. If you hold information about customers or employees, you have obligations. It is a common mistake to assume the law only targets large corporations or tech firms.

What is a lawful basis for collecting data?

It means you must have a legitimate, defined reason to collect someone's personal data - such as their consent, a contract you are fulfilling, or a legal obligation - rather than gathering it just because you can. You then use that data only for the purpose you stated. Collecting data with no clear basis, or repurposing it for something else, is where businesses fall foul of the Act.

What rights do people have over their data?

Individuals have rights over their personal information, including the right to be informed about how it is used, to access what you hold, to have inaccurate data corrected, and in certain cases to object to processing or request deletion. Your business needs a way to receive and respond to these requests, which means your systems must be able to find and manage a person's data.

What happens if there is a data breach?

The Act sets expectations around securing personal data and, where a breach poses a risk, notifying the regulator and affected people within the required timeframe. That means you need both preventive security and a plan for what to do if data is exposed. Ignoring a breach or hiding it compounds the problem and the potential penalties.

Do I need to register with the ODPC?

Depending on the nature and scale of your data processing, you may be required to register as a data controller or processor with the Office of the Data Protection Commissioner. Because the specific thresholds and requirements can change, confirm your obligations against current ODPC guidance or with a professional rather than assuming you are exempt.

Karani Geoffrey
Karani Geoffrey
Founder & CEO, Upeosoft

Karani Geoffrey is the Founder & CEO of Upeosoft, a software and automation company rooted in Kenya. He builds custom software, AI systems, and production-grade ERPNext for businesses across East Africa, and writes about the Kenyan realities - eTIMS, M-Pesa, SHIF, unreliable internet and power - that make or break real systems.

Next step

Want this working in your business?

Upeosoft builds and hardens the systems behind this article - for real Kenyan operations, with eTIMS, M-Pesa and offline realities handled.

Keep reading

Kenyan Compliance and Integrations

Keeping Customer Data Safe: A Security Guide for Kenyan SMEs

You do not need an enterprise budget to protect customer data. Most breaches at Kenyan SMEs come from basics left undone - weak passwords, shared logins and no backups.

6 min readRead article →
Kenyan Compliance and Integrations

How M-Pesa Integration Actually Works (And Why It Goes Wrong)

M-Pesa integration is not a plugin you switch on. It is a conversation between Safaricom's Daraja API and your system, and most failures happen at the callback and reconciliation stage.

7 min readRead article →
Kenyan Compliance and Integrations

eTIMS Integration: What KRA Compliance Really Requires

eTIMS integration means your invoicing software transmits every sale to KRA in real time and stamps invoices with a KRA control code. Here is what compliance actually requires and where businesses trip up.

6 min readRead article →