MasiboLaw

With the enforcement of the Data Protection Act, 2019, all businesses in Kenya that collect, store, or process personal data must comply with data protection regulations. One of the key legal requirements is registering as a Data Controller or Data Processor with the Office of the Data Protection Commissioner (ODPC).

Failure to comply can result in hefty fines, legal action, and reputational damage. This guide outlines the step-by-step process of registration, compliance requirements, and how businesses can ensure full adherence to the law.


Who Needs to Register Under Kenya’s Data Protection Act?

Organizations that handle personal data must register as either:

Data Controllers – Organizations that determine how and why personal data is collected and processed.

Data Processors – Organizations that process personal data on behalf of a Data Controller.


Some industries that must register include:

✔ Financial institutions (banks, SACCOs, fintech companies)
✔ E-commerce platforms and digital service providers
✔ Healthcare providers (hospitals, clinics, insurance companies)
✔ Educational institutions (schools, universities, online learning platforms)
✔ Telecommunication and ICT firms
✔ Government agencies and NGOs handling personal data

If a business operates as both a Data Controller and a Data Processor, it must submit two separate applications, each with its own registration fee.

Not sure whether your business needs to register? Contact us for a compliance assessment.


—

Step-by-Step Process for Data Controller or Processor Registration

Step 1: Visit the ODPC Registration Portal

All applications must be submitted online through the ODPC’s official portal.

Step 2: Select the Registration Category

Choose whether you are registering as a Data Controller or Data Processor.

If your organization falls into both categories, you must submit separate applications.


Step 3: Provide Business Information

You will be required to fill in:
✔ Business registration details (company name, registration number, address)
✔ A description of the types of personal data collected and processed
✔ Information about the data subjects (e.g., customers, employees, suppliers)
✔ Details of data protection and security measures in place
✔ Contact details of a Data Protection Officer (DPO), if required

Step 4: Upload Supporting Documents

The ODPC may require supporting documents such as:
✔ A copy of your business registration certificate
✔ Your organization’s privacy policy
✔ A data processing impact assessment (if applicable)

Step 5: Pay the Registration Fee

Registration fees vary depending on:

The size of the business

The sector in which the business operates

The nature of data processing activities


Step 6: Submit the Application

After verifying all details and attaching necessary documents, submit your application for review.



Processing Timelines & What to Expect

If the application is approved, a Data Controller or Processor registration certificate is issued within 14 days (or up to 28 days if corrections are needed).

The certificate remains valid for two years and must be renewed before it expires.

If the application is declined, the ODPC provides a reasoned explanation within 21 days, and the applicant may resubmit an improved application.


For official details on registration fees and processing, visit the ODPC website.


Beyond Registration: Ongoing Compliance Obligations

Meeting Kenya’s data protection requirements does not end with registration. Businesses must continue to comply with key obligations, including:

1. Develop a Privacy Policy

A privacy policy must be established in accordance with the Data Protection (General) Regulations, 2021 to govern how personal data is collected, processed, and protected.

2. Conduct a Data Protection Impact Assessment (DPIA)

High-risk data processing activities—such as handling biometric data or processing large amounts of personal data—may require a DPIA to assess and mitigate risks.

3. Appoint a Data Protection Officer (DPO) (If Required)

Certain businesses must appoint a DPO to oversee compliance, as required by the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

4. Comply with Cross-Border Data Transfers

Businesses transferring personal data outside Kenya must follow the rules outlined in the Data Protection (Compliance and Enforcement) Regulations, 2021.


Why Work with MasiboLaw for Data Protection Compliance?

Understanding and complying with Kenya’s Data Protection Act, 2019 can be challenging. MasiboLaw offers expert legal support to help businesses navigate data protection registration and compliance with ease. .

Our services include:

✔ Data Controller & Processor Registration – Ensuring accurate and complete applications for swift approval.
✔ Drafting Privacy Policies – Creating legally compliant data protection policies tailored to your business needs.
✔ Data Protection Impact Assessments (DPIA) – Identifying risks and ensuring compliance.
✔ Ongoing Compliance Advisory – Providing continued legal support as data protection laws evolve.


Take Action: Ensure Your Business is Data Protection Compliant

The Data Protection Act, 2019 is now fully enforced, and businesses that fail to comply face fines of up to KES 5 million or 1% of annual turnover. Taking proactive steps to register and comply can protect your business from penalties and build trust with customers.

📩 Need help with Data Controller or Processor registration in Kenya? Contact Masibo Law at info@masibolaw.co.ke for expert assistance.