๐ฐ๐ช Kenya Data Protection Act Compliance Checker
Kenya Data Protection Act 2019 โ 18-question compliance self-assessment covering ODPC registration, lawful basis, data subject rights, DPO obligations, and cross-border data transfer rules.
Kenya DPA 2019ODPC18 QuestionsFree Tool
๐ Kenya Data Protection Act 2019 โ Key Facts
Enacted
2019
Regulator
ODPC
Max Penalty
KSh 5M or 1%
Breach Notice
72 hours
Registration
Mandatory
DPO Required
Certain controllers
0/18
answered yes
0%
โ
Kenya DPA 2019 Compliance Checklist
โพ
Click each item to mark as compliant. 18 questions covering all key Kenya DPA obligations.
๐
Your Kenya DPA Compliance Score
โพ
๐
ODPC Key Obligations & Contacts
โพ
Obligation
Detail
Registration with ODPC
Mandatory for all data controllers and processors. Portal: www.odpc.go.ke
Breach notification to ODPC
Within 72 hours of discovery
Notify data subjects
Promptly after notifying ODPC, where breach is likely to cause harm
DPO appointment
Required for public bodies and large-scale processors of sensitive data
DPIA requirement
Required for processing likely to result in significant risk
Cross-border transfer
Only to countries with equivalent data protection or with data subject consent
ODPC contact
info@odpc.go.ke / +254 20 268 6900
Case workspace
Build, save and export this legal workflow
This workspace turns the kenya dpa evidence review result into a reusable matter note, dashboard item and gated PDF checklist. Use the app first, then save the evidence trail.
Benchmarked against Termly, OneTrust and enterprise consent platforms. The goal is not to copy them; it is to bring the useful workflow pattern into an Africa-first tool with official-source caution and local evidence capture.
Observed feature pattern
Mature privacy tools scan or map real processing activity, then connect policies, cookie choices, DSARs, consent logs and regulator evidence.
They preserve an audit trail instead of leaving users with a static policy that drifts away from the product.
They route high-risk processing into DPIA, breach and processor-contract workflows before launch or vendor onboarding.
Implemented on this app
This page now asks for matter, country or regime, date, status, evidence and risk flags before the user exports a note.
The app-specific checklist is not generic: it starts with "Check ODPC registration status before tender, enterprise sales or app launch".
Saved workflows can be resumed from the dashboard and handed off to Privacy Policy Generator when the matter naturally continues.
The PDF/export moment is a value-after-result gate, so users can still use the tool first and only share email when saving the report.
Best next move
Whether the organisation must register as a controller or processor
Check ODPC registration status before tender, enterprise sales or app launch
Assuming small size removes all ODPC obligations
Reviewed 28 April 2026 ยท Kenya
Kenya DPA evidence review
Kenya compliance needs more than a privacy notice. Registration, breach reporting, DPIA triggers, processor contracts and data-subject responses all need practical evidence.
Decisions this clarifies
Whether the organisation must register as a controller or processor
Whether the processing creates DPIA or breach-notification duties
Which complaints, access requests and erasure requests need an internal workflow
Before you rely on it
Check ODPC registration status before tender, enterprise sales or app launch
Prepare breach facts, affected categories, mitigation and attachments before notification
Use the privacy policy, DPA and DPIA tools together for high-risk processing
Red flags
Assuming small size removes all ODPC obligations
Reporting a breach without mitigation steps or affected-person communication plan
Processing biometric, children or health data without a DPIA review
Before filing, signing, publishing, or sending anything, keep a short record that links the app result to evidence and official-source checks.
Capture
Save the country or regime, parties, dates, amounts, selected options, and final output. Add why this matters: Whether the organisation must register as a controller or processor.
Attach
Check ODPC registration status before tender, enterprise sales or app launch. Also keep the strongest supporting document, receipt, portal reference, ID, contract, policy, or court file beside the generated result.
Escalate
If you see this risk, pause and get qualified help: Assuming small size removes all ODPC obligations.
Paste this into your matter file, compliance folder, board pack, or lawyer handoff.
Kenya Data Protection Act 2019 โ Compliance Guide
The Kenya Data Protection Act (DPA) 2019 is Kenya's principal data protection legislation, establishing the Office of the Data Protection Commissioner (ODPC) as the enforcement authority. The Act applies to data controllers and processors who process personal data of individuals in Kenya, regardless of where the controller or processor is located.
Unlike some other African data protection laws, the Kenya DPA 2019 requires mandatory registration with the ODPC before commencing processing activities. Failure to register is itself a criminal offence punishable by a fine of up to KSh 5 million or 1% of annual global turnover.
ODPC registration is mandatory for all data controllers and data processors. Registration is done online at www.odpc.go.ke.
Children's data receives special protection under the Kenya DPA. Parental or guardian consent is required for processing data of children under 18.
Sensitive personal data (race, health, sexual orientation, religious beliefs, etc.) requires specific justification and heightened safeguards.
Data subject rights include: right to access, right to correction, right to erasure, right to object, right to data portability, and right not to be subject to automated decision-making.
Disclaimer
This tool provides general information and educational resources only. Not legal advice. Consult a qualified Kenyan data protection lawyer for advice specific to your organisation's circumstances.