Compliance is the part of the Kenya outsourcing decision that UK firms most often underestimate. It breaks into five areas: lawfully transferring personal data, managing Permanent Establishment tax risk, applying Kenyan employment law, operating statutory payroll, and protecting IP and confidentiality. None of these is prohibitive - Kenya’s Common Law foundations and GDPR-aligned data regime make the country easier to deal with than many alternatives - but each is specific, current and must be in place before delivery starts. This pillar page sets out what each obligation involves and links to the detailed guides. For the high-level summary, our compliance overview is the companion read.
Key Facts
| Obligation | Detail |
|---|---|
| Data transfer mechanism | UK IDTA plus Transfer Risk Assessment |
| Transfer Risk Assessment | Mandatory since 21 March 2024 |
| Kenyan data law | Data Protection Act 2019, GDPR-aligned |
| Data regulator | Office of the Data Protection Commissioner |
| Breach notification | Within 72 hours |
| Data fines | Up to KES 5m or 1% of turnover |
| Tax treaty | UK-Kenya Double Taxation Agreement |
| PE risk | Activity can create taxable presence; EOR mitigates |
| Employment statute | Employment Act 2007 (Common Law) |
| PAYE bands | 10 / 25 / 30 / 32.5 / 35% |
| Personal relief | KES 2,400 per month |
| NSSF pension | 6% + 6%, employer cap KES 4,320/mo (Feb 2025) |
| Health levy | SHIF 2.75% of gross (replaced NHIF, Oct 2024) |
| Affordable Housing Levy | 1.5% + 1.5% |
| Employer statutory on-cost | About 10-15% of gross |
| Remittance deadline | By the 9th of the following month |
Key terms
- Adequacy decision
- A UK government finding that another country's data protection is equivalent to UK GDPR; Kenya does not have one, which is why the IDTA is required.
- IDTA
- The UK International Data Transfer Agreement, the contractual route that lawfully covers personal-data transfers to a non-adequate country, paired with a Transfer Risk Assessment.
- Permanent Establishment
- A taxable presence created in a foreign country by the nature of a company's activities there, assessed under the relevant double taxation treaty.
- PAYE
- Pay As You Earn - Kenya's withholding income tax on salaries, filed and paid through the KRA iTax system.
- SHIF
- The Social Health Insurance Fund levy at 2.75% of gross pay, which replaced NHIF in October 2024.
How does a UK firm transfer data to Kenya lawfully?
Answer: Kenya has no UK adequacy decision, so a UK firm must use the UK IDTA and complete a Transfer Risk Assessment before sending personal data.
This is the first gate, and it applies before any work involving personal data begins. Because the UK has not granted Kenya an adequacy decision, the lawful route is the UK International Data Transfer Agreement (IDTA), supported by a documented Transfer Risk Assessment that has been mandatory since 21 March 2024. Kenya’s own Data Protection Act 2019 helps the analysis: it sets GDPR-aligned principles, requires breach notification within 72 hours, carries penalties of up to KES 5 million or 1% of annual turnover, and is overseen by the Office of the Data Protection Commissioner (ODPC). That gives the assessment a credible legal counterpart to point to - but it does not remove the IDTA requirement. Our UK GDPR and Kenya guide walks through the documentation, and the Kenyan regime itself is set out in the Data Protection Act guide.
| Data transfer element | Requirement |
|---|---|
| Legal basis for transfer | UK IDTA (no UK adequacy for Kenya) |
| Risk assessment | Transfer Risk Assessment, mandatory since 21 Mar 2024 |
| Kenyan regime | Data Protection Act 2019, GDPR-aligned |
| Breach notification | Within 72 hours |
| Penalties | Up to KES 5m or 1% of turnover |
| Regulator | Office of the Data Protection Commissioner |
What is Permanent Establishment risk?
Answer: Activity in Kenya can create a taxable presence under the UK-Kenya Double Taxation Agreement; an EOR mitigates this but does not eliminate it.
Permanent Establishment (PE) is a taxable presence created in a foreign country by the nature of a company’s activities there. For a UK firm with people working in Kenya, the question is whether those activities cross the thresholds in the UK-Kenya Double Taxation Agreement - tests turning on control, contracting authority and fixed place of business. If they do, profits can become taxable in Kenya. The most common mitigation is an Employer of Record, which becomes the legal employer of the Kenyan staff, but an EOR reduces rather than removes PE risk, and the outcome is fact-specific. Treaty-specific tax advice is essential before you commit. Our guide on Permanent Establishment risk in Kenya covers the structures in detail.
How familiar is Kenyan employment law?
Answer: Kenya’s Common Law system, derived from English law, governs employment through the Employment Act 2007 - familiar in structure to UK firms.
Kenya inherited Common Law from England, so the underlying logic of contracts, precedent and dispute resolution is recognisable to UK businesses. The operative statute is the Employment Act 2007, which sets minimum terms on written contracts, working time, leave, notice and termination. Familiarity does not mean identity - local thresholds, notice periods and procedures differ from the UK and must be followed precisely - but the conceptual distance is small. The detail sits in our Employment Act 2007 guide. Using an Employer of Record places this responsibility with a local entity that operates the Act day to day.
What statutory payroll obligations apply?
Answer: Employers operate PAYE, NSSF, SHIF and the Affordable Housing Levy, all remitted by the 9th of the following month.
Four statutory items apply to Kenyan staff, current to 2025/26:
- PAYE - progressive income tax across bands of 10%, 25%, 30%, 32.5% and 35%, withheld from salary, less personal relief of KES 2,400 a month. PAYE is filed and paid via the KRA iTax system. See our PAYE compliance guide.
- NSSF - pension at 6% employer and 6% employee, with an employer cap of KES 4,320 a month from February 2025. The employer obligations are covered in our NSSF guide.
- SHIF - the Social Health Insurance Fund levy at 2.75% of gross, administered by the Social Health Authority, which replaced NHIF in October 2024.
- Affordable Housing Levy - 1.5% employer plus 1.5% employee of gross pay. A NITA training levy also applies.
| Statutory item | 2025/26 basis |
|---|---|
| PAYE | 10-35% bands; relief KES 2,400/month; via iTax |
| NSSF | 6% + 6%, employer cap KES 4,320/month |
| SHIF | 2.75% of gross (replaced NHIF, Oct 2024) |
| Affordable Housing Levy | 1.5% + 1.5% |
| Remittance deadline | By the 9th of the following month |
All are remitted by the 9th of the following month. PAYE is borne by the employee; the employer’s direct on-costs are NSSF, SHIF, the employer side of the Housing Levy and the NITA levy, which together run about 10-15% of gross pay.
A worked example: the employer on-cost on one role
Answer: On a KES 100,000 gross salary, the employer’s direct statutory on-cost is roughly KES 10,000-15,000 a month - about 10-15% - keeping the fully loaded cost far below UK levels.
To make the on-cost concrete, take a supervisor on KES 100,000 gross per month. PAYE is withheld from that figure and borne by the employee, so it does not add to the employer’s cost. The employer’s own contributions stack up as follows.
| Employer contribution | Basis | Indicative monthly cost (KES) |
|---|---|---|
| NSSF pension (employer) | 6%, capped KES 4,320 | Up to 4,320 |
| SHIF (employer-facilitated) | 2.75% of gross | About 2,750 |
| Affordable Housing Levy (employer) | 1.5% of gross | 1,500 |
| NITA training levy | Fixed/small | Modest |
| Approximate total | - | About 10,000-15,000 |
That places the employer’s statutory on-cost at roughly 10-15% of gross - far lighter than the UK, where employer National Insurance alone is 15% on top of pension auto-enrolment and other costs. It is exactly this combination of low salaries and modest on-costs that keeps fully loaded Kenyan delivery well below UK levels even with full statutory compliance. The role-level numbers sit on our costs overview and the why Kenya pillar.
How are IP and confidentiality protected?
Answer: IP and confidentiality are secured through contract - assignment and confidentiality clauses - reinforced by Kenya’s Common Law framework and the Data Protection Act for personal data.
For most UK buyers, protecting intellectual property and confidential information is as important as data-transfer compliance. The primary mechanism is contractual: clear IP-assignment and confidentiality clauses in the master service agreement and in individual employment contracts, ensuring that work product and inventions vest in the client. Kenya’s Common Law system makes these structures familiar and enforceable in ways UK firms recognise. Where an Employer of Record is used, confirm that IP created by the staff is assigned through the EOR to the end client, since the EOR is the legal employer. For personal data specifically, the Data Protection Act 2019 adds a statutory layer on top of the contract. This is a standard item to settle during due diligence rather than a novel risk.
How does compliance fit the wider decision?
Answer: Compliance is the condition for capturing Kenya’s other advantages, not a reason to avoid them - and an EOR carries most of the load.
The point of mapping these obligations is to show that they are bounded and well understood. The data regime is GDPR-aligned, the legal system is Common Law, and the payroll items are published and stable. An Employer of Record handles employment law, payroll and much of the PE mitigation, leaving the UK firm to manage data-transfer documentation with counsel. Set against the cost, time-zone and workforce advantages, compliance is the manageable cost of entry rather than a barrier. The full structural case is on our why Kenya pillar.
Key Takeaways
- Data transfers require the UK IDTA and a Transfer Risk Assessment (mandatory since 21 March 2024); Kenya’s GDPR-aligned Data Protection Act 2019 - with 72-hour breach notice and fines up to KES 5m or 1% of turnover - supports but does not replace them.
- Activity in Kenya can create Permanent Establishment under the UK-Kenya treaty; an EOR mitigates the risk but does not eliminate it, so take tax advice.
- Employment runs under the Employment Act 2007 within a Common Law system familiar to UK firms, though local thresholds differ; IP and confidentiality are secured by contract.
- Statutory payroll - PAYE, NSSF, SHIF (which replaced NHIF in October 2024) and the Housing Levy - is published and stable, remitted by the 9th each month, with an employer on-cost of about 10-15%.
Further Reading
- Compliance Overview - the obligations summarised
- IDTA for Kenya - the data-transfer agreement in practice
- UK GDPR and Kenya - the data documentation in full
- Kenya Data Protection Act - the local regime and the ODPC
- PAYE and Statutory Compliance - employer payroll obligations
- NSSF Employer Obligations - the pension contribution rules
- Permanent Establishment Risk in Kenya - managing tax presence
- Kenya Employment Act 2007 - the governing employment statute
- Employer of Record Kenya - EOR services for UK companies expanding to Kenya