Parliament approved a set of data regulations last week requiring all handlers and processors to register with the office of the Data Protection Office. Companies that violate the privacy laws will now be subject to the full force of the new data legislation.

The national assembly passed the data protection (General) regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

A firm found in violation of the new data restrictions could face fines of up to one percent of its annual revenue.

“In relation to an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to five million shillings, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower,” the data Act reads in part.

The organizations will be required to examine their data privacy policies in order to make them more understandable and demonstrate compliance.

The Office of the Data Protection Commissioner was established under section 5 of the Data Protection Act 2019, which President Uhuru Kenyatta signed into law in November last year.

The data protection regulations 2021, together with the complaints handling regulations, went into force on March 14. The registration of data controllers and processors will go into effect on July 14, 2022.

The Data Protection Act requires all processors to handle personal information lawfully, fairly and in a transparent manner. The data handlers will also be required to inform clients on the use of their data and correct or delete any false representations about them.

Sensitive data such as health status, marital status, sexual orientation, ethnicity, biometric data and names of children are also guaranteed special safeguard in the Act.

Additionally, the transfer of personal data out of Kenya is prohibited unless the data processors obtain express permission and prove that the information will be protected against misuse.

