Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU - Kenya: GDPR v. Kenya Data Protection Act

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and Data Protection Act, 2019 (the Act).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the Act with the  GDPR.

You can access the latest version of the report here.

What is the Act?

The Act, which came into force on 25 November 2019, is the primary piece of data protection legislation in Kenya. The Act provides for the establishment of the Data Protection Office (ODPC) to enforce its provisions, however, this office has yet to be formed.

Key highlights

The Act and the GDPR share some similarities, including:

  • similar central concepts of data controllers, data processors, and data subjects;
  • that they both explicitly consider anonymized and pseudonymized data, apply to automated processing, and have comparable concepts of personal data and sensitive data; and
  • similar concepts of DPOs, their tasks, and the associated provisions regulating the appointment of DPOs; and

However, despite their similarities, the Act and the GDPR also differ sometimes in their approach, such as:

  • unlike the GDPR, the Act establishes general processing registration/notification requirements and does not explicitly require records of processing;
  • that the Act provides for potential prison terms, that individuals may be held liable for offenses, and that the amount of fines that may be issued differ; and
  • unlike the GDPR, the Act establishes general processing registration/notification requirements and does not explicitly require records of processing.