Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Kenya: ODPC publishes various guidance notes on data protection
On January 8, 2024, the Office of the Data Protection Commission (ODPC) announced via a LinkedIn post that it had published sector-specific guidance notes for the education sector, communication sector, digital credit providers, and processing of health data. In addition, the ODPC stated that it has also published guidance notes on Data Protection Impact Assessment (DPIA), consent, registration of data controllers and data processors, and electoral purposes.
Guidance note on registration
The guidance note on the registration of data controllers and data processors, published on November 30, 2023, was developed to assist entities in ascertaining if they are data controllers or data processors and help them understand their obligations with respect to mandatory registration. The guidance note takes into consideration the Data Protection Act, 2019 (the Act), the Data Protection (Registration of Data Controller and Data Processors) Regulations, 2021, as well as international best practices. Furthermore, the guidance note provides a checklist for organizations to determine whether they are controllers or processors and guidance on how to register.
Guidance note on DPIA
The guidance note on DPIA, published on November 28, 2023, aims to assist data controllers and data processors in understanding the risk of processing activities undertaken and help them identify when a DPIA must be carried out and submitted to the ODPC. Further, the guidance note provides a template for a DPIA and provides the following list of criteria to consider when determining which processing activities would require a DPIA:
- automated-decision making with legal or similar significant effects;
- systematic monitoring;
- sensitive personal data or data relating to a data subject or matters of a private nature;
- data processed on a large volume or scale;
- matching or combining data sets;
- data concerning vulnerable data subjects;
- innovative use or application of new technological or organizational solutions; and
- when processing in itself prevents data subjects from exercising a right.
You can read the LinkedIn post here and the guidance notes here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
