Briefly

Draft Guidance Notes

policyKenya·Office of the Data Protection Commissioner Kenya·Briefly Analysis

Abstract

The Office of the Data Protection Commissioner (ODPC) in Kenya has recently published several Draft Guidance Notes for public consultation, signaling a maturing regulatory landscape for data protection in the country. These draft notes, particularly those released in April 2026, address critical areas such as data processing in the transport sector, cross-border data transfers, the role of Data Protection Officers (DPOs), and the development of institutional data protection policies. They aim to provide practical clarity and assist data controllers and processors in complying with the Data Protection Act, 2019. This initiative underscores the ODPC's commitment to robust enforcement and proactive stakeholder engagement, necessitating that legal professionals and entities operating in Kenya meticulously review and prepare for the finalisation of these crucial interpretative instruments.

Introduction

Kenya's data protection regime, anchored by the Data Protection Act, 2019 (the "Act"), continues to evolve with the proactive efforts of the Office of the Data Protection Commissioner (ODPC). Established to give effect to the constitutional right to privacy, the ODPC has been instrumental in operationalising the Act through various regulations and, significantly, through the issuance of guidance notes. The recent publication of several Draft Guidance Notes for public consultation marks a pivotal moment, offering stakeholders an opportunity to shape the practical application of data protection principles across diverse sectors.

These Draft Guidance Notes are not merely advisory; they represent the ODPC's interpretative stance on complex provisions of the Act and its subsidiary regulations. By providing sector-specific and thematic guidance, the ODPC aims to foster a clearer understanding of compliance obligations, thereby reducing ambiguity and promoting best practices. For legal practitioners, understanding the nuances within these drafts is crucial, as they will directly influence compliance strategies, risk assessments, and the overall data governance frameworks of their clients. The ongoing consultation process highlights the ODPC's commitment to a collaborative regulatory approach, yet also signals an expectation of heightened adherence once these guidelines are finalised.

This article delves into the significance of the ODPC's Draft Guidance Notes, examining their context within Kenya's data protection framework, analysing their potential impact on data controllers and processors, and outlining key considerations for legal professionals advising on compliance. It posits that these drafts are a critical step towards a more defined and enforceable data protection environment, demanding immediate attention from all entities handling personal data in Kenya.

Background

The foundation of data protection in Kenya is the Data Protection Act, 2019, which came into force on November 25, 2019. This landmark legislation gives effect to Article 31(c) and (d) of the Constitution of Kenya, 2010, which guarantees every person the right to privacy. The Act established the Office of the Data Protection Commissioner (ODPC) as the independent supervisory authority responsible for its enforcement. The DPA, broadly modelled on the European Union's General Data Protection Regulation (GDPR), sets out comprehensive principles for the processing of personal data, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality.

Since its establishment, the ODPC has progressively rolled out a robust regulatory framework. This includes the Data Protection (Civil Registration) Regulations, 2020, the Data Protection (Complaints Handling Procedure & Enforcement) Regulations, 2021, the Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021, and the Data Protection (General) Regulations, 2021. These regulations provide detailed provisions on various aspects, from mandatory registration thresholds for data controllers and processors to procedures for handling data subject complaints and enforcing compliance. The ODPC has also been active in issuing enforcement notices and imposing significant fines for non-compliance, underscoring its commitment to holding entities accountable.

In addition to the formal regulations, the ODPC regularly publishes guidance notes to offer practical interpretation and assistance to stakeholders. Previous guidance has covered areas such as the registration of data controllers and processors, Data Protection Impact Assessments (DPIAs), consent, and sector-specific advice for digital credit providers, the education sector, and the public sector, among others. The current Draft Guidance Notes build upon this foundation, addressing emerging areas and specific operational challenges faced by entities in their data processing activities.

Analysis

The most recent set of Draft Guidance Notes, published by the ODPC in April 2026, focuses on four critical areas: the transport sector, cross-border data transfers, the role of Data Protection Officers (DPOs), and the development of institutional data protection policies. These drafts are particularly significant as they tackle complex operational aspects of data protection that require detailed interpretation beyond the general provisions of the Act and existing regulations. For instance, the Guidance Note for the Transport Sector provides practical interpretations of data protection requirements for operators, addressing the unique challenges of collecting and processing personal data in transit.

The Draft Guidance Note on Cross-border Data Transfers is especially crucial, given the increasing globalisation of data processing. It outlines the legal, regulatory, and operational obligations that data handlers must observe to ensure personal data remains protected when transferred outside Kenya. This aligns with Sections 48, 49, and 50 of the DPA, which govern such transfers, often requiring adequate safeguards or explicit consent. The guidance is expected to clarify the conditions under which data can be transferred, the mechanisms for ensuring adequate protection (e.g., standard contractual clauses, binding corporate rules), and the notification requirements to the ODPC.

Furthermore, the Draft Guidance Notes on Data Protection Officers (DPOs) and Institutional Data Protection Policies provide much-needed clarity on internal governance. The DPO guidance is expected to detail the qualifications, responsibilities, and reporting lines of DPOs, who play a vital role in ensuring internal compliance and acting as a liaison with the ODPC and data subjects. The policy guidance will likely offer a framework for developing comprehensive data protection policies, which are essential for demonstrating accountability and embedding data protection by design and default within organisations. This is particularly relevant given the ODPC's shift towards stricter enforcement and a focus on operational compliance rather than just policy-based adherence.

While these draft notes aim to provide clarity, practitioners should be mindful of potential areas requiring further refinement. The balance between regulatory burden and practical implementation, especially for Small and Medium-sized Enterprises (SMEs), will be a key consideration. The ODPC has previously issued guidance for MSMEs, indicating an awareness of varying capacities. Moreover, the interpretation of 'legitimate interest' as a lawful basis for processing, particularly in sector-specific contexts, will need careful consideration to ensure it does not override data subjects' fundamental rights and freedoms, a principle the ODPC has rigorously enforced.

The public consultation period, which for the April 2026 drafts concluded on May 15, 2026, underscores the ODPC's commitment to stakeholder engagement. This consultative approach allows for industry input, potentially leading to more practical and effective final guidelines. However, the ODPC's enforcement actions, including significant fines against entities like Oppo Kenya, Mulla Pride Limited, and Liquid Telecommunications Kenya Ltd, demonstrate that the regulator is prepared to act decisively against non-compliance, even as guidance is being developed. This dual approach of guidance and enforcement necessitates that entities proactively review their data processing activities against both the existing legal framework and the evolving interpretative guidance.

Conclusion

The ODPC's ongoing issuance of Draft Guidance Notes is a clear indication of Kenya's maturing data protection landscape. These documents are indispensable tools for legal practitioners and organisations seeking to navigate the complexities of the Data Protection Act, 2019, and its subsidiary regulations. The recent drafts on the transport sector, cross-border data transfers, DPOs, and data protection policies will, once finalised, significantly shape compliance obligations and best practices across various industries.

Practitioners are advised to remain vigilant and proactively integrate the principles and specific requirements outlined in these guidance notes into their clients' data governance frameworks. This includes conducting thorough data protection impact assessments, reviewing and updating internal policies, ensuring robust mechanisms for cross-border data transfers, and, where applicable, establishing or refining the role of the Data Protection Officer. As the ODPC continues its robust enforcement, demonstrated by numerous fines and compliance orders, a proactive and well-informed approach to data protection compliance is not merely a legal obligation but a strategic imperative to mitigate significant financial and reputational risks.

Citations

  1. 1.The Constitution of Kenya, 2010
  2. 2.Data Protection Act, 2019 (Act No. 24 of 2019)
  3. 3.Data Protection (Civil Registration) Regulations, 2020
  4. 4.Data Protection (Complaints Handling Procedure & Enforcement) Regulations, 2021
  5. 5.Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021
  6. 6.Data Protection (General) Regulations, 2021
  7. 7.Office of the Data Protection Commissioner, Guidance Note on Registration of Data Controllers and Data Processors
  8. 8.Office of the Data Protection Commissioner, Guidance Note on Data Protection Impact Assessment
  9. 9.Office of the Data Protection Commissioner, Guidance Note on Consent
  10. 10.Office of the Data Protection Commissioner, Guidance Notes for Public Sector
  11. 11.Office of the Data Protection Commissioner, Guidance Notes on Processing by MSMEs
  12. 12.Office of the Data Protection Commissioner, Guidance Notes for Journalistic Purpose
  13. 13.Office of the Data Protection Commissioner, Draft Guidance Note for the Transport Sector (April 2026)
  14. 14.Office of the Data Protection Commissioner, Draft Guidance Note on Cross-border Data Transfers (April 2026)
  15. 15.Office of the Data Protection Commissioner, Draft Guidance Note on Data Protection Policy (April 2026)
  16. 16.Office of the Data Protection Commissioner, Draft Guidance Notes on DPO (April 2026)
  17. 17.Chizzy Taabu Orwa & 2 Others v Mast Jägermeister SE (ODPC Determination, 2025)
  18. 18.Samuel Kamau Waweru v Platinum Credit Ltd (ODPC Determination, 2025)
  19. 19.Comfort Muthoni Gachiri v The Storage Trading Company Limited (ODPC Determination, 2025)
  20. 20.Liquid Telecommunications Kenya Ltd (ODPC Determination, November 2025)
  21. 21.Oppo Kenya (ODPC Determination, December 2022)
  22. 22.Mulla Pride Limited (ODPC Determination, September 2023)
AI Business Impact

How does this affect your business?

Get an AI analysis of this article grounded in your jurisdictions, practice areas, and any policy documents you've uploaded to Wansom.