The Act requires companies to abide by the principles of data protection. These are heavily borrowed from the EU GDPR. Companies dealing with the personal data of natural persons resident in Kenya are now required to ensure that personal data is: 

  • processed in accordance with the right to privacy of the data subject; 
  • processed lawfully, fairly and in a transparent manner in relation to any data subject;
  • collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes; 
  • adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed; 
  • collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  • accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  • kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and 
  • not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

These principles are expected to usher the right to be forgotten into Kenya with businesses having to re-evaluate their data collection, use, retention and disposal cycles. Failure to abide by any of these principles may lead to a fine from the office for the Data COmmissioner of upto 5 million Kenyan shillings or 1% of the turnover of the company for the preceding year.