Law: The Data Protection Act, 2019 (the Act) and the Data Protection Regulations, 2021 (the 2021 Regulations)

Regulator: Office of the Data Protection Commissioner (ODPC)

Summary: The Act came into effect on November 25, 2019, and sets out data subject rights, principles of data processing, and obligations related to data transfers, direct marketing, and breach notifications. The 2021 Regulations, which came into effect on July 14, 2022, supplement the provisions of the Act and comprise of three distinct regulations, namely:

• the Data Protection (General) Regulations, 2021;
• the Data Protection (Compliance and Enforcement) Regulations, 2021;
• the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

There are also several sector-specific pieces of legislation in Kenya addressing data protection in areas such as the ICT industry, the health sector, and the financial sector, as well as other pieces of general legislation affecting data protection including the Consumer Protection Act, 2012 (the Consumer Protection Act) and the Computer Misuse and Cybercrimes Act No. 5 of 2018 (the Computer Misuse and Cybercrimes Act).