Solutions/Kenya Data Protection Act 2019

Kenya Data Protection Act 2019

Your complete guide to DPA 2019 compliance and ODPC obligations

The Kenya Data Protection Act 2019 is the primary data protection law in Kenya, enforced by the Office of the Data Protection Commissioner (ODPC). This guide explains every key obligation, who it applies to, what the deadlines are, and how Dira maps to each section.

Start free trialBook a demo

The Kenya Data Protection Act 2019 came into force on 25 November 2019. The Office of the Data Protection Commissioner (ODPC) was constituted in 2020 and is now actively enforcing. Organisations that process personal data in Kenya - or about Kenyan data subjects - must comply. This guide covers the key obligations, deadlines, and how Dira maps to each.

Key challenges

DPA 2019 obligations for kenya data protection act 2019

Key DPA 2019 deadlines

72 hours to notify the ODPC of a data breach (s.43). 7 days to fulfil a data subject request (ODPC guidance). 60 days for ODPC prior consultation response (s.31).

ODPC registration obligations

Data controllers and processors processing personal data in Kenya must register with the ODPC under Part III. Certain categories - including sensitive data processors - face additional requirements.

Accountability and records

Section 25 requires all controllers to maintain Records of Processing Activities (ROPA) and demonstrate compliance through documented technical and organisational measures.

Fines and enforcement

The ODPC can impose fines of up to KES 5 million for non-compliance. The ODPC has already issued enforcement notices and conducted compliance audits across sectors.

Products

Dira products for kenya data protection act 2019

Compliance Management

Central registry of every DPA 2019 obligation mapped to your organisation, with compliance scoring.

Learn more →

Records of Processing (ROPA)

Maintain s.25-compliant records of all processing activities - ODPC-format export on demand.

Learn more →

Breach Management

72-hour countdown timer from breach discovery, ODPC-format notification, and immutable breach log.

Learn more →

DSR Automation

Handle all six DSR types with statutory SLA enforcement and ODPC audit trail.

Learn more →

DPIA & Assessment

Six-step DPIA wizard with ODPC prior consultation tracker for high-risk processing.

Learn more →
View all Dira products →

Start your Kenya Data Protection Act 2019 compliance programme

30-day free trial. No credit card required. Our compliance team will map Dira to your specific DPA obligations.

Start free trialContact sales
30-day free trial No credit card Cancel anytime