A Records of Processing Activities (ROPA) is not a form you fill in once and file away. It is a living register of everything your organisation does with personal data - and under the Kenya Data Protection Act 2019, maintaining it is a legal obligation that applies to every data controller and processor in Kenya, regardless of size.
This guide walks through what a ROPA must contain under section 25 of the Kenya DPA 2019 and the Data Protection (General) Regulations 2021, how to build one from scratch, and how to keep it accurate.
Why the ROPA Matters for ODPC Compliance
The ROPA is the foundation of your accountability posture. The ODPC requests it early in any compliance audit or investigation. It underpins your Data Protection Impact Assessments (DPIAs), your privacy notices, and your ability to respond to data subject requests.
An organisation without a current ROPA cannot demonstrate that it understands what data it holds, why it holds it, or what it does with it. That is an accountability failure - and section 25 of the Kenya DPA 2019 makes accountability a legal obligation, not a best practice.
Who Must Maintain a ROPA?
Section 25 applies to all data controllers and data processors. Unlike the GDPR, which exempts small organisations with fewer than 250 employees from most ROPA requirements, the Kenya DPA 2019 contains no such small-organisation exemption.
All organisations processing personal data in Kenya must maintain a ROPA - including:
- Private companies, regardless of size
- NGOs and civil society organisations
- Government agencies and public bodies
- Data processors acting on behalf of controllers
What Must a ROPA Include?
Section 25(1) of the Kenya DPA 2019 requires the following elements for each processing activity:
- Name and contact details of the data controller and, where applicable, the Data Protection Officer (DPO)
- Purposes of processing - why the data is processed, with specificity per activity
- Categories of data subjects - employees, customers, website visitors, patients, etc.
- Categories of personal data processed - name, email, financial data, health data, etc.
- Recipients or categories of recipients - who receives the data, including processors and third parties
- Cross-border transfers - destination countries and the legal mechanism or safeguard applied
- Retention periods - how long each category of data is kept before deletion
- General description of technical and organisational security measures applied
The Data Protection (General) Regulations 2021 add further detail on the form and content of processing records, and the ODPC registration process draws on the same information - so a well-maintained ROPA also feeds your registration particulars.
Step 1: Map Your Processing Activities
Before you can record processing activities, you need to identify them. Start with a processing inventory. For each department, ask:
- What personal data do we collect or receive?
- Where does it come from? (directly from individuals, from third parties, from public sources)
- Why do we process it? - what is the specific purpose?
- What do we do with it? (store, analyse, share, use for communications)
- Where does it go when we are done with it?
Common processing activities in a typical Kenyan organisation:
| Activity | Department | Data Types |
|---|---|---|
| Employee payroll processing | HR / Finance | Name, ID number, bank details, tax records |
| Customer account management | Operations / IT | Name, email, phone, purchase history |
| Email marketing | Marketing | Name, email, preferences, engagement data |
| KYC and identity verification | Compliance | Name, ID documents, biometrics (if applicable) |
| Website analytics | IT / Marketing | IP address, device data, browsing behaviour |
| Vendor management | Procurement | Name, contact details, company information |
| CCTV surveillance | Facilities / Security | Video footage |
Walk through each department systematically. Do not rely on what managers say they do with data - look at the actual systems, integrations, and data flows.
Step 2: Determine the Lawful Basis for Each Activity
Each processing activity in your ROPA must have a documented lawful basis under section 30 of the Kenya DPA 2019. The available bases are:
- Consent (s.32 conditions apply - freely given, specific, informed, unambiguous)
- Contract - processing necessary for a contract with the data subject
- Legal obligation - processing required by law (e.g. tax records, KYC obligations)
- Vital interests - necessary to protect life
- Public interest - for organisations carrying out public functions
- Legitimate interests - where the controller's interests are not overridden by data subject rights
For each processing activity, record the specific basis and the reasoning. "Legitimate interests" requires a balancing exercise - document it. "Consent" requires evidence of how consent is obtained.
Step 3: Document Recipients and Processors
For each processing activity, identify every entity that receives the data:
- Internal teams (e.g. data shared from marketing to sales)
- Third-party processors (cloud providers, payroll bureaux, analytics tools)
- Joint controllers (e.g. group company arrangements)
- Public authorities receiving data under legal obligation (tax authority, regulatory bodies)
Where processors are involved, section 42 of the Kenya DPA 2019 requires a written data processing agreement. Your ROPA should reference the existence of this agreement per processor.
For cross-border transfers - data sent to processors or recipients outside Kenya - record the destination country and the legal mechanism used to authorise the transfer under section 48.
Step 4: Set Retention Periods
For each category of data in each processing activity, document how long the data is retained and the basis for that retention period.
Retention periods should be:
- Specific - "7 years" is better than "until no longer needed"
- Justified - linked to a legal obligation, operational need, or documented business requirement
- Enforced - if you record a retention period in the ROPA, you must have a mechanism to delete or anonymise data at the end of it
Common statutory retention obligations in Kenya:
| Data Type | Retention Basis | Indicative Period |
|---|---|---|
| Tax and financial records | Tax Procedures Act 2015 | 5 years |
| Employment records | Employment Act (Cap. 226) | 5 years post-employment |
| KYC records | Proceeds of Crime and Anti-Money Laundering Act | 7 years |
| NSSF/SHIF contribution records | NSSF Act / Social Health Insurance Act | Duration of employment |
Step 5: Record Security Measures
Section 25(1) requires a general description of technical and organisational security measures. This does not require a full security audit in the ROPA - but it should be sufficient to demonstrate that appropriate measures are in place for the risk level of the processing.
Examples of what to record:
- Encryption at rest and in transit for sensitive data categories
- Access controls (role-based access, multi-factor authentication for sensitive systems)
- Staff training on data handling
- Vendor vetting and processor security requirements
- Incident response procedures
Maintaining the ROPA: Keeping It Current
A ROPA that was accurate in January and has not been updated by December is a compliance risk. Processing activities change: new systems are deployed, new vendors are onboarded, new products require new data, marketing campaigns introduce new purposes.
Build maintenance into your routine:
- Formal quarterly review - DPO reviews the ROPA with department leads for material changes
- Change-triggered updates - any new system, vendor, product launch, or change to an existing process triggers a ROPA update before go-live
- Annual full audit - a comprehensive review comparing the ROPA against actual data flows, ideally supported by a data flow mapping exercise
The ROPA must be available to the ODPC on request. It should be exportable in a structured format - the ODPC expects a documented, accessible record, not notes in a shared spreadsheet.
Common Mistakes to Avoid
Recording purposes too broadly. "Business purposes" or "improving our services" are not valid purpose descriptions. Each purpose should describe what processing actually occurs and why.
Leaving out processors. A ROPA that lists only internal activities but omits the cloud provider, the email marketing platform, and the payroll bureau is significantly incomplete.
No retention periods. Recording "retained indefinitely" is not a compliance position - it is an accountability gap. All data has a justified maximum retention period.
A static document. The most common failure is building a ROPA for ODPC registration and then never updating it. The ROPA's value - to the organisation and to the ODPC - depends on it being accurate right now.
Confusing the controller ROPA with the processor ROPA. If you are acting as a processor on behalf of another controller, you have separate ROPA obligations covering the processing you carry out on their behalf.
What Your ROPA Must Cover - s.25(1) Checklist
Every processing activity record in your ROPA must address all eight fields below. Missing any of them is an accountability gap the ODPC will find.
| Field | What to Document | DPA 2019 Reference |
|---|---|---|
| Controller and DPO details | Organisation name, address, and DPO contact information | s.25(1)(a) |
| Purposes of processing | The specific reason this activity exists - not generic descriptions | s.25(1)(b) |
| Categories of data subjects | Who the data is about: customers, employees, patients, etc. | s.25(1)(c) |
| Categories of personal data | What data is processed: name, email, financial data, health data, etc. | s.25(1)(c) |
| Recipients | Every team, processor, or third party that receives the data | s.25(1)(d) |
| Cross-border transfers | Destination country and the legal mechanism under s.48 | s.25(1)(d) |
| Retention periods | Specific timeframes - not "until no longer needed" | s.25(1)(f) |
| Security measures | A general description of technical and organisational controls in place | s.25(1)(g) |
Where to Start
If a full inventory feels overwhelming, prioritise in this order:
- Your highest-risk processing - sensitive data, large volumes, or third-party sharing
- Your customer-facing processing - where DSRs are most likely to arrive
- Your HR and payroll processing - where employee rights apply
- Everything else - work outward from there
Building a complete ROPA is not a one-day project. But completing it processing-activity by processing-activity is entirely manageable. The ODPC expects a good-faith, maintained effort at accountability - not a perfect document produced overnight.