Data Commissioner Immaculate Kassait has decried the low compliance of data processors and controllers with data protection laws despite growing awareness from the public about breaches.
At a recent workshop with regulators in Nairobi, Kassait asked data handlers to register with the Office of the Data Protection Commissioner (ODPC) as a first step towards compliance. In her presentation, she noted rising cases of data breaches, identity theft, unauthorized sharing of personal data, and intrusive surveillance resulting from Kenya’s digital revolution.
“Registration is not merely a formality; it is a legal obligation that ensures transparency and accountability. It allows us to identify and track entities processing personal data, assess their compliance with the law, and intervene when necessary to protect individuals’ data rights,” she said.
Entities with between 0-10 workers and below annual Ksh5 million turnovers are exempt from registration unless fit in certain categories, entities with between 10-49 workers are required to pay registration fee of Ksh4000. Entities turning over below Ksh50 million per year (50-99 employees) are required to pay registration fee of Ksh16,000 while entities with above 100 employees (Ksh50 million plus turnover) are required by the law to pay registration fee of Ksh40,000.
“As regulators, membership bodies and associations in your respective sectors, you play an instrumental role in ensuring that the entities you oversee adhere to the law. These entities are often the primary processors of personal data in Kenya, making you critical partners in our efforts to enforce compliance,” she added.
Digital disruption has led to unrestricted and unregulated processing of personal data outside a given jurisdiction popularly known as cross-border data transfers raising concerns of privacy, trust, and sovereignty across many countries.
The Kenya Institute for Public Policy Research and Analysis (KIPPRA) has questioned the government’s commitment and ability to control its critical data. Of concern is the insufficient budget allocation for the data protection regulator which it argues is less compared to the authority’s jurisdiction.
“Despite having relatively new legal and policy instruments for data localisation in Kenya, there is need to assess the level of preparedness in the country and determine the key considerations in building data sovereignty for successful personal data governance in Kenya,” said principle policy analyst at Kippra Humphrey Njogu.