Since the passage of the EU’s General Data Protection Regulation (GDPR) in 2018, many countries are striving to be GDPR-compliant, and Kenya is no exception. As one of the growing fintech hot spots in Africa, the rapid advancement of technology in Kenya has been turning heads in data protection. It was recently reported that fintech innovations in Kenya immensely contributed to the sharp rise in the accessibility to basic financial services which was around just 26% in 2006 to 83% of its population now. The much-anticipated Data Protection Act (DPA) of 2019 is to regulate and protect the personal data of its population.  

The DPA came into force on 25 November 2019 and incorporated various rules and regulations to reflect the GDPR. Its passage was a major development for Kenya as it arguably boosts its international reputation and recognition for being the third East African country to pass legislation for the protection of data privacy.  

Key highlights 

  • International data transfers – Cross-border data transfers are generally not allowed unless under specific circumstances and the data transferred must be stored appropriately. Part V of the DPA contains exceptions to this rule.  
  • Data subject rights – Under the DPA much like the GDPR, data subjects have the right to be informed; the right of access; the right to be forgotten or deletion; the right of rectification; the right to object or opt-out; the right to data portability; and the right not to be subject to automated decision-making. 
  • Data Protection Officer (DPO) appointment – It is mandatory for controllers and processors to appoint a DPO under specified conditions. 
  • Consent – Similarly to other post-GDPR data protection legislations, consent and withdrawal of consent are major elements in personal data protection. Hence, consent is expected to be unambiguous and concise. The right to withdraw consent and informed consent must be freely exercised by the individual.  
  • Breach and penalties – Organisations must notify the Commissioner within 72 hours immediately after becoming aware of a data breach. The maximum fine that may be imposed on an organisation is up to 1% of its annual turnover of the preceding financial year or up to KES 5 million (approx. €38,420).  

The GDPR has provided high regulatory standards in data protection which continues to create a ripple effect. In tackling challenges posed by the advancement in Kenyan technology industries, e.g. fintech, organisations engaged in or thinking of entering the Kenyan market must consider the importance of ensuring they are DPA-compliant.  

As part of HewardMills’ global DPO services, our Ghanaian team ensures clients in the region are kept up to date on the latest African data protection laws and regulations. To learn more, please get in touch by visiting or emailing us at