If your organisation operates across Kenya and the European Union, or if you are a compliance professional who learned data protection under GDPR before turning attention to Kenyan law, you have likely noticed the similarities between the Kenya Data Protection Act 2019 and the EU's General Data Protection Regulation. They are not coincidental.
The Kenya DPA 2019 was substantially influenced by GDPR. The structure, the core principles, and many of the individual obligations are clearly related. But the differences - some subtle, some significant - matter for compliance.
The Structure: Broadly Parallel
Both GDPR and the Kenya DPA 2019 are built around the same conceptual architecture:
- Data protection principles that apply to all processing
- Lawful bases for processing personal data
- Data subject rights that individuals can exercise
- Obligations on controllers and processors
- Breach notification requirements
- A supervisory authority with enforcement powers
If you understand GDPR, you will find the Kenya DPA 2019 familiar territory - but do not assume the details match.
Data Protection Principles: Largely Aligned
Section 25 of the Kenya DPA 2019 sets out the statutory principles:
- The right to privacy
- Lawfulness, fairness, and transparency
- Purpose limitation
- Adequacy and data minimisation
- Collection only with a valid explanation where data relates to family or private affairs
- Accuracy
- Retention limitation
- No transfer outside Kenya without adequate safeguards or consent
These map closely to GDPR Article 5, but the lists are not identical - s.25 adds the explicit right-to-privacy framing and a transfer-restriction principle that GDPR handles elsewhere (Chapter V). Accountability runs through the Act: compliance must be demonstrable, not merely asserted.
Lawful Bases for Processing: Similar but Not Identical
GDPR Article 6 provides six lawful bases for processing. The Kenya DPA 2019, in section 30, provides similar categories: consent, contract, legal obligation, vital interests, public interest, and legitimate interests.
Key difference: The Kenya DPA 2019's legitimate interests provision (s.30(d)) is less developed than GDPR's equivalent. GDPR requires a three-part balancing test - legitimate purpose, necessity, and a balancing of interests - that is well-established through regulator guidance and case law. ODPC guidance on legitimate interests in Kenya is still developing.
Where GDPR legitimate interests analysis gives you confidence in a use case, document the same three-part reasoning for DPA 2019 purposes. It is the most defensible approach while ODPC precedent matures.
Consent: Parallel, but Look at s.32 - Not s.30
This is a common point of confusion. GDPR consent conditions are in Article 7. The Kenya DPA 2019 consent conditions are in section 32 - not section 30, which covers lawful processing generally.
Section 32 places the burden of proof on the controller and requires consent to be:
- Free - no penalty for refusing, no bundling with services (s.32(4))
- Specific - separate consent per purpose
- Informed - plain-language explanation of processing
- Express and unequivocal - no pre-ticked boxes or inferred consent
These requirements are substantively similar to GDPR Article 7 read with Recital 32. Withdrawal must be as easy as giving consent - also consistent with GDPR.
Child consent: GDPR Article 8 sets the threshold for information society services at 16 (or lower by member state). The Kenya DPA 2019 section 33 requires parental or guardian consent for processing personal data of minors, without specifying an age threshold - leaving the definition of "minor" to general Kenyan law (under 18).
Data Subject Rights: Broadly Similar, Different Section Numbers
Both frameworks provide a comparable set of individual rights. The key mapping:
| Right | GDPR | Kenya DPA 2019 |
|---|---|---|
| Right of access | Art. 15 | s.26 |
| Right to erasure | Art. 17 | s.40 |
| Right to data portability | Art. 20 | s.38 |
| Right to object | Art. 21 | s.36 |
| Right to rectification | Art. 16 | s.40 |
| Right to restrict processing | Art. 18 | s.34 |
Key Differences on Response Timeframes
GDPR sets a general one-month deadline (Art. 12(3)), extendable by two months for complex requests.
The Kenya Data Protection (General) Regulations 2021 are significantly tighter:
- 7 days - the working deadline for data subject requests
- 30 days - data portability requests (s.38(6))
GDPR-calibrated response processes built around a one-month clock will miss Kenyan deadlines by weeks. This is one of the most operationally significant differences between the two frameworks.
Automated Decision-Making
GDPR Article 22 provides explicit rights regarding solely automated decision-making with significant effects. The Kenya DPA 2019 section 35 addresses automated decision-making, including three exceptions where solely automated decisions are permitted - with less detailed procedural requirements than GDPR.
Sensitive Personal Data: Different Categories, Different Section
GDPR Article 9 lists "special categories" of personal data. The Kenya DPA 2019 uses a different term - sensitive personal data - and a different list, defined in section 2:
- Race and ethnic social origin
- Health status
- Conscience and belief
- Genetic data and biometric data
- Property details - not in GDPR's list
- Marital status and family details (including names of children, parents, and spouses) - not in GDPR's list
- Sex or sexual orientation
Note what Kenya's list includes that GDPR's does not (property details, marital status, family details) - and that GDPR's "political opinions" and "trade union membership" do not appear as such. Do not copy a GDPR Article 9 data inventory into a Kenyan compliance programme. The conditions for processing sensitive personal data are in sections 44-47.
Cross-Border Transfers: Look at s.48, Not s.44
GDPR Chapter V (Articles 44-49) governs transfers of personal data to third countries. The Kenya DPA 2019 equivalent is in section 48, which restricts transfers outside Kenya unless:
- The receiving country has adequate protection
- The data subject has consented to the transfer
- The transfer is necessary for contract performance
- Other specific conditions in section 48 apply
Section 49 adds safeguards requirements prior to transfer.
Key difference: Kenya does not yet have an adequacy framework comparable to the EU's adequacy decisions. Standard Contractual Clauses (SCCs) - familiar from GDPR cross-border practice - are not explicitly referenced in the Kenya DPA 2019, though the ODPC's draft cross-border transfer guidance points to comparable contractual safeguards as the expected mechanism in the absence of adequacy.
Data Protection Impact Assessments: Closely Aligned
Both frameworks require a DPIA for processing likely to result in high risk. GDPR Article 35 and Kenya DPA 2019 section 31 both require the DPIA to cover:
- A description of the processing operations
- A necessity and proportionality assessment
- A risk assessment for data subjects
- Risk mitigation measures
Key difference: GDPR requires mandatory DPIAs for specific categories of processing listed by supervisory authorities. The ODPC has not yet published a formal mandatory DPIA list. Kenyan controllers must therefore apply a broader risk-based screening - which the s.31 framework supports.
Breach Notification: 72 Hours in Both - to Different Bodies
Both frameworks share the 72-hour notification window:
- GDPR Art. 33: notify the lead supervisory authority
- Kenya DPA 2019 s.43: notify the ODPC
Both also require notification to data subjects when the breach is likely to result in high risk to their rights and freedoms. The required notification content under s.43(5) closely mirrors GDPR Article 33(3). One Kenya-specific addition: processors must notify the controller within 48 hours (s.43(3)) - a deadline GDPR leaves at "without undue delay".
Enforcement: Lower Fines, but Real Risk
| Framework | Maximum Fine |
|---|---|
| GDPR | €20 million or 4% of global annual turnover (higher) |
| Kenya DPA 2019 | KES 5 million or 1% of annual turnover, whichever is lower (ss.62-63) |
The lower ceiling should not be misread as lower risk. The ODPC is actively enforcing: it has issued enforcement notices, conducted compliance audits, and investigated complaints across financial services, healthcare, and technology sectors. Reputational consequences, operational disruption from an ODPC audit, and contractual liability to data subjects can far exceed the statutory fine.
Side-by-Side Reference
The table below maps every major GDPR provision to its equivalent in the Kenya DPA 2019. Use it to translate your existing GDPR programme into DPA 2019 terms - and to spot where the two frameworks genuinely diverge.
Foundations
| Topic | GDPR | Kenya DPA 2019 |
|---|---|---|
| Data protection principles | Art. 5 | s.25 |
| Lawful bases for processing | Art. 6 | s.30 |
| Conditions for consent | Art. 7 | s.32 (not s.30) |
| Child / minor consent | Art. 8 - age 16 | s.33 - under 18 |
| Sensitive personal data | Art. 9 | s.2 definition, ss.44-47 conditions |
Individual Rights
| Right | GDPR | Kenya DPA 2019 |
|---|---|---|
| Access | Art. 15 | s.26 - respond within 7 days |
| Erasure | Art. 17 | s.40 - respond within 7 days |
| Data portability | Art. 20 | s.38 - respond within 30 days |
| Object to processing | Art. 21 | s.36 - respond within 7 days |
| Rectification | Art. 16 | s.40 - respond within 7 days |
| Restrict processing | Art. 18 | s.34 - respond within 7 days |
Timeframes are set by the Data Protection (General) Regulations 2021 - not the Act itself.
Controller and Processor Obligations
| Obligation | GDPR | Kenya DPA 2019 |
|---|---|---|
| DPO appointment and duties | Art. 37-39 | s.24 |
| Processor agreements | Art. 28 | s.42 |
| Data Protection Impact Assessment | Art. 35 | s.31 |
| Cross-border transfers | Art. 44-49 | s.48-49 (no adequacy framework yet) |
| Breach notification to regulator | Art. 33 - 72 hours | s.43 - 72 hours |
| Breach notification to individuals | Art. 34 - high risk | s.43(4) - high risk |
| Supervisory authority | Lead supervisory authority | ODPC |
| Maximum fine | €20M or 4% of global turnover | KES 5M or 1% of turnover (lower) |
Both frameworks share a common foundation. For most GDPR-experienced professionals, the Kenya DPA 2019 will feel familiar - but the different section numbers, the different sensitive-data list, the evolving ODPC guidance, and the much tighter 7-day DSR timeframe mean that direct copy-paste from your GDPR programme is not sufficient. Translate, don't transplant.