Publication of implementing regulations for data protection in Kenya
At a glance
- Three sets of implementing regulations under the Data Protection Act 24 of 2019 (DPA) were published on January 14, 2022, including the General Regulations, Complaints and Enforcement Regulations, and Registration Regulations.
- The General Regulations focus on data subjects' rights, obligations of data controllers and processors, data protection by design or default, data protection impact assessments, transfer of personal data, notification of data breaches, and restrictions on commercial use of personal data.
- The Complaints and Enforcement Regulations outline the procedure for lodging complaints with the Data Commissioner, enforcement and penalty notices, while the Registration Regulations specify the procedure and thresholds for registration of data controllers and processors with the Data Commissioner. The Regulations will come into force if not revoked within 28 days after referral to the House Committee on Delegated Legislation.
The Data Commissioner published the Regulations in draft form early last year for purposes of public participation, and subsequently received and compiled comments from the public for purposes of incorporation into the final versions of the Regulations.
The General Regulations are quite comprehensive and aim to give effect to the rights of data subjects and also to elucidate the obligations of data controllers and data processors under the DPA. The General Regulations also expound further on other salient features of the DPA including the implementation of data protection by design or by default, data protection impact assessments, the transfer of personal data outside Kenya, the notification of personal data breaches and the restrictions on the commercial use of personal data.
The Complaints and Enforcement Regulations set out the procedure for lodging complaints with the Data Commissioner and for the issuance and management of enforcement and penalty notices under the DPA. The Registration Regulations on the other hand set out the procedure and thresholds for registration of persons with the Data Commissioner in their capacity as data controllers and data processors.
The Regulations are required to be tabled before the National Assembly within a week of the publication date and to be subsequently referred to the House Committee on Delegated Legislation for scrutiny and possible revocation. If within 28 days from the date of such referral (or such other period as the National Assembly may approve) this committee shall not have not made a report recommending the revocation of the Regulations, then the Regulations will come into force. We are reviewing the contents of the Regulations and will issue a comprehensive legal alert in due course.
For more information on DPA, please watch our short video summary of the salient features of the Act here and to read our brief analysis of its extra territorial applicability here.
The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.
Subscribe
We support our clients’ strategic and operational needs by offering innovative, integrated and high quality thought leadership. To stay up to date on the latest legal developments that may potentially impact your business, subscribe to our alerts, seminar and webinar invitations.
Subscribe