On 8th November 2019, the President of the Republic of Kenya H.E Uhuru Kenyatta assented to the Data Protection Bill, ushering Kenya into a substantive Data Protection Act,2019 (the “Act”). The commencement date for the Act is 25th November 2019.

The Act gives effect to Article 31(c) and (d) of the Constitution: the right not to have information relating to family or private affairs unnecessarily required or revealed as well as the right not to have the privacy of their communications infringed. 

Under the Act, companies are considered data controllers and processors. The Act grants various privacy rights to data subjects (company clients and employees)- we shall delve into these in articles to follow. 

The Data Protection Act requires companies regulated sectors such as telecommunications, energy, finance, insurance  to add data protection to their compliance regime. All companies irrespective of sector now need to implement an entire operational shift in business strategy and  processes to ensure data protection is part of the business through privacy by design. Moving forward, companies need to ensure compliance of their dealings with third parties such as suppliers or agents with whom client/employee personal information is shared. 

SOme companies will be required to register as data controllers/processors with the office of the Data COmmissioner once established under the ACt depending on the parameters set out in regulations to the Act.