Regulations Under the Data Protection Act, 2019 Published for National Assembly Scrutiny


The Data Protection Act, 2019 was signed into law more than two years ago.

As a reminder, the bill had been going through deliberations in Parliament for an extended period.

It was also key because it served as unique law in East Africa, because it follows the steps of Europe’s GDRP, and was actually necessary because Kenya was and is still experiencing data protection abuses.

You should also remember that data protection issues were raised by a lot of people during the Huduma Namba registration exercise.

The same concerns were also highlighted for the better part of 2020 and 2021 after it became clear that some data processors and handlers, including online loan firms were using personal data to further their business without considering the implications of doing so, including cases of blatant abuse of such information.

To this end, it is clear why the law exists. It, on the whole, regulates the processing of personal data, and has since seen the establishment of the office of the Data Commissioner.

The law also provides for the rights of data subjects, and states the objectives of data controllers and processors.

READ MORE: Data Commissioner Issues Draft Guidelines on Processing Personal Data During the Pandemic

However, since it was signed in 2019, the regulations under the bill were not actually published until this year (2022).

They are: the Data Protection (General) Regulations, 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. 

This means that Parliament has the task to assess the Regulations, and if no issues are raised for a revision, then the regulations will come into effect.

This will be done by February 2022.

As a highlight, the Data Protection (General) Regulations, 2021 provide for rights of a data subject, limitations to commercial use of such information, the roles of data controllers and processors, the communication of data breaches and transfer of data outside Kenya, to mention a few.

Secondly, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 allow for lodging, admission and response of complaints and enforcement provisions.

Lastly, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 give details about the process of registering data controllers and data processors. Their certificates have a validity of two years from the time of registration.

READ MORE: 2021 Year in Review: ICT Law and Tech Policy in Kenya

The Data Protection Act, 2019 goes a long way in ensuring that there are penalties for non-compliance (to the stated regulations), and that it is now mandatory for the consideration and inclusion of data protection from the start of the designing of systems.

We will update you about the development from Parliament regarding the assessment of the regulations.