Kenya Data Protection Act
The Kenya DPA carries fines up to 1% of turnover and imprisonment up to 10 years—management accountability for data protection is a legal requirement, not an aspiration.
The Kenya Data Protection Act 2019 is Kenya's comprehensive data protection legislation, establishing the Office of the Data Protection Commissioner (ODPC) as the supervisory authority. Modelled substantially on the EU GDPR, it introduces data protection principles, data subject rights, and obligations for data controllers and processors.
The Act requires organisations to register with the ODPC, appoint Data Protection Officers where applicable, conduct DPIAs for high-risk processing, and report data breaches within 72 hours. Cross-border transfer restrictions mandate adequate protection levels in recipient countries.
For Microsoft 365 environments, compliance requires Purview sensitivity labels for data classification, DLP policies preventing unauthorised data transfers, Conditional Access for access control, and Defender XDR for incident detection and breach notification. StremarControl engineers and operates the Microsoft-native controls required for Kenya DPA mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline aligned to ODPC requirements.
Why This Matters Now
The Kenya Data Protection Act 2019 is one of the most comprehensive data protection laws in Africa, modelled on the EU GDPR. It mandates appointment of a DPO, requires Data Protection Impact Assessments (DPIAs) for high-risk processing, and enforces breach notification within 72 hours. For M365 environments, this translates to Purview data classification, Conditional Access for access control, and Defender incident response workflows. As East Africa's largest digital economy, Kenya's DPA impacts any multinational with Kenyan operations.
Framework Metadata
Scope & Applicability
Applies to data controllers and processors who are established in Kenya, process personal data while in Kenya, or process personal data of data subjects located in Kenya. Covers both automated and manual processing. The Act applies to the public and private sectors. M365 tenants processing Kenyan personal data must implement appropriate technical and organisational measures as prescribed by the ODPC.
Core Obligations
Data Protection Principles
Process personal data lawfully, fairly, and transparently. Ensure purpose limitation, data minimisation, accuracy, storage limitation, and security.
Data Protection Officer
Appoint a DPO where the organisation processes sensitive personal data or data of a large number of data subjects.
Data Protection Impact Assessment
Conduct a DPIA before processing that is likely to result in high risk to the rights and freedoms of data subjects.
Breach Notification
Notify the ODPC of any personal data breach within 72 hours. Notify affected data subjects where the breach poses a high risk to their rights.
Cross-Border Transfers
Transfer personal data outside Kenya only to countries with adequate data protection or with appropriate safeguards.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Data Classification & Protection
Purview sensitivity labels for Kenyan personal data classification. Auto-labelling policies for high-risk data categories. DLP policies preventing external sharing of sensitive Kenyan data.
Label usage analytics, auto-labelling match reports, DLP incident summaries.
72-Hour Breach Notification
Defender XDR incident detection with Sentinel playbooks for ODPC notification workflows. Automated severity classification against DPA criteria.
Incident timeline reports, playbook execution logs, notification records.
Access Control & Security
Conditional Access policies enforcing MFA, device compliance, and risk-based access evaluation. PIM for privileged access management.
Conditional Access logs, MFA reports, PIM activation history.
Implementation Timeline
Related Frameworks
With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.
POPIA carries administrative fines up to ZAR 10 million and imprisonment up to 10 years—the Information Regulator holds management directly accountable for processing failures.
Post-Brexit divergence means UK organisations must now navigate two parallel GDPR regimes, with the ICO imposing fines up to GBP 17.5 million or 4% of global turnover.
Ready to get Kenya DPA-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against Kenya DPA requirements, close gaps, and produce audit-ready evidence.