Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Kenya: ODPC publishes various guidance notes on data protection

On January 8, 2024, the Office of the Data Protection Commission (ODPC) announced via a LinkedIn post that it had published sector-specific guidance notes for the education sector, communication sector, digital credit providers, and processing of health data. In addition, the ODPC stated that it has also published guidance notes on Data Protection Impact Assessment (DPIA), consent, registration of data controllers and data processors, and electoral purposes.

Guidance note on registration 

The guidance note on the registration of data controllers and data processors, published on November 30, 2023, was developed to assist entities in ascertaining if they are data controllers or data processors and help them understand their obligations with respect to mandatory registration. The guidance note takes into consideration the Data Protection Act, 2019 (the Act), the Data Protection (Registration of Data Controller and Data Processors) Regulations, 2021, as well as international best practices. Furthermore, the guidance note provides a checklist for organizations to determine whether they are controllers or processors and guidance on how to register.

Guidance note on DPIA

The guidance note on DPIA, published on November 28, 2023, aims to assist data controllers and data processors in understanding the risk of processing activities undertaken and help them identify when a DPIA must be carried out and submitted to the ODPC. Further, the guidance note provides a template for a DPIA and provides the following list of criteria to consider when determining which processing activities would require a DPIA:

  • automated-decision making with legal or similar significant effects;
  • systematic monitoring;
  • sensitive personal data or data relating to a data subject or matters of a private nature;
  • data processed on a large volume or scale;
  • matching or combining data sets;
  • data concerning vulnerable data subjects;
  • innovative use or application of new technological or organizational solutions; and
  • when processing in itself prevents data subjects from exercising a right. 

You can read the LinkedIn post here and the guidance notes here.