The Data Protection Officer (DPO) is one of the most misunderstood roles in Kenya DPA 2019 compliance. Some organisations treat the DPO as a box-ticking exercise - designating the company lawyer or a junior IT staff member and calling the obligation satisfied. That approach misreads both the legal requirement and the strategic value of the role.
Section 24 of the Kenya DPA 2019 sets out when a DPO should be designated, what qualifications they must have, and what they are required to do. This guide walks through each element.
Who Should Designate a DPO?
Section 24 provides for the designation of a DPO. Designation is expected where processing is likely to result in high risk to the rights and freedoms of data subjects - and the indicators are consistent with those that trigger a DPIA obligation under section 31.
Processing is likely to be high risk where it involves:
- Sensitive personal data as defined in s.2 - race, health status, ethnic social origin, conscience or belief, genetic or biometric data, property details, marital status, family details, sex or sexual orientation - processed at scale (processing conditions in ss.44-47)
- Systematic monitoring of individuals - employee monitoring systems, CCTV networks, location tracking
- Automated decision-making with significant effects - credit scoring, insurance underwriting, recruitment screening
- Large-scale processing - a financial institution processing millions of customer records, or a healthcare provider holding patient data across a large population
- Data processing by a public authority - government agencies and public bodies should assume a DPO is required
Section 24 expressly permits a group of undertakings to share a single DPO, provided the DPO is easily accessible from each entity. A holding company and its subsidiaries may designate one DPO, subject to workload being manageable.
Even where the strict legal obligation is unclear - because your processing sits in a grey zone on the risk spectrum - designating a DPO is low-cost insurance. The ODPC views DPO designation as a positive indicator of accountability. The absence of a DPO where one arguably should have been designated is a compliance gap that will attract scrutiny in an audit.
What Qualifications Must a DPO Have?
Section 24 requires the DPO to have expert knowledge of data protection law and practices. The Act does not specify formal qualifications, certifications, or a minimum number of years of experience - but expert knowledge is a meaningful threshold.
A DPO must be capable of understanding the Kenya DPA 2019 and Data Protection (General) Regulations 2021 in depth, advising the organisation on its compliance obligations, monitoring processing activities, and engaging competently with the ODPC on the organisation's behalf.
In practice, most organisations look for DPOs who hold recognised data protection qualifications (CIPP/A, CDPO, or equivalent) and have direct experience applying data protection law - not merely theoretical familiarity with it.
Section 24 requires the DPO's contact details to be published (typically on the organisation's privacy notice and website) and communicated to the ODPC - the ODPC maintains a register of designated DPOs. Failure to publish DPO contact details is a straightforward compliance gap the ODPC can identify without conducting an audit.
What Must the DPO Actually Do?
Section 24(7) sets out the core DPO functions - including, expressly, facilitating capacity building for staff involved in data processing (s.24(7)(c)).
Inform and advise the controller and its staff. The DPO is an internal expert, not an external auditor. Their primary function is to provide practical guidance to the data controller, processors acting on the controller's behalf, and staff who handle personal data - answering questions from operations, product, marketing, and HR teams; reviewing contracts that involve personal data; advising on new systems before they go live; and delivering training.
Monitor compliance with the Act. The DPO monitors the organisation's data protection practices on an ongoing basis - not just during audit season. This means reviewing processing activities against the ROPA under section 25, tracking DSR responses and breach incidents, testing that data retention policies are being applied, and identifying new processing activities that require a DPIA or a lawful basis assessment.
Advise on and monitor DPIAs. Where a DPIA is required under section 31, the DPO advises on the process, reviews the output, and monitors implementation of the risk mitigations identified. The DPO does not own the DPIA. The data controller owns the legal obligation. Confusing these roles - by having the DPO both conduct and approve DPIAs - undermines the independence that makes the DPO role valuable.
Cooperate with the ODPC. The DPO is the organisation's designated point of contact with the Office of the Data Protection Commissioner. This includes responding to ODPC enquiries, facilitating audits and investigations, and submitting breach notifications under section 43.
Act as contact point for the ODPC. The DPO must be reachable by the ODPC without unnecessary delay. The ODPC should not need to navigate a switchboard to reach the person responsible for data protection compliance.
The DPO's Independence - A Critical Point
The DPO role implies independence. A DPO who reports to a line manager who can override their compliance advice - or who faces adverse consequences for raising compliance concerns - cannot meaningfully perform the functions in section 24(7).
Conflicts of interest to avoid include: a DPO who is also the Head of Marketing (where marketing decisions drive data collection), a DPO who is also the Head of IT (where they would audit their own systems), or an external counsel with a commercial interest in the organisation's product decisions.
The DPO should have a direct line to senior management or the board - not because they approve all decisions, but because they can escalate compliance concerns without being silenced.
Internal vs. External DPO
| Internal DPO | External DPO | |
|---|---|---|
| Institutional knowledge | Deep - embedded in the organisation | Shallower - depends on engagement depth |
| Availability | Full-time, always reachable | Depends on contract terms |
| Independence | Risk of organisational pressure | Stronger structural independence |
| Cost | Higher fixed cost (salary + benefits) | Variable - may suit smaller organisations |
| Expertise breadth | May be narrow if drawn from one function | Often broader across industries |
For smaller organisations, a well-structured external DPO engagement - with clear access rights, defined deliverables, and a genuine advisory mandate - can satisfy section 24 at reasonable cost. For organisations with large volumes of high-risk processing, an internal DPO is generally more appropriate.
What the DPO Is Not Responsible For
- The DPO is not personally liable for the organisation's compliance failures - legal accountability lies with the data controller
- The DPO does not make compliance decisions - they advise; the decision-maker is senior management
- The DPO does not approve processing activities - approving processing is a management function, not a compliance function
- The DPO is not a substitute for legal counsel on matters requiring formal legal advice
These limits matter because organisations sometimes treat the DPO as a liability shield - the person who "signed off" on something that later went wrong. A properly structured DPO role does not work that way.
Section 24 at a Glance
| Obligation | Reference |
|---|---|
| Designate a DPO where processing is likely to be high risk | s.24 |
| Groups may share a single DPO (if accessible from each entity) | s.24 |
| Publish DPO contact details and notify the ODPC | s.24 |
| DPO must have expert knowledge of data protection law | s.24 |
| DPO informs and advises controller and staff | s.24(7) |
| DPO monitors compliance with the Act | s.24(7) |
| DPO facilitates staff capacity building (training) | s.24(7)(c) |
| DPO advises on and monitors DPIAs | s.24(7) |
| DPO cooperates with and acts as contact point for the ODPC | s.24(7) |
The DPO is not a compliance ornament. Organisations that invest in a well-resourced, genuinely independent DPO - with access to senior management, a realistic mandate, and the tools to monitor compliance - are materially better positioned for an ODPC audit than those who designate someone in title only.