UK-Kenya outsourcing compliance is the set of legal and tax obligations a UK business must satisfy when it engages Kenyan talent: protecting personal data lawfully across the border, avoiding an unintended taxable presence, respecting Kenyan employment law, and operating statutory payroll correctly. None of these is exotic, but they sit in four different rulebooks. This overview maps the framework and links to the detailed guide for each pillar so finance, legal and procurement teams can work from a shared picture before outsourcing to Kenya.
Key Facts
| Item | Current position |
|---|---|
| Data protection (Kenya) | Data Protection Act 2019, GDPR-aligned, enforced by the ODPC |
| UK adequacy decision | None for Kenya, so transfer safeguards are mandatory |
| Required transfer tool | UK IDTA (or UK Addendum to EU SCCs) plus a Transfer Risk Assessment |
| Tax treaty | UK-Kenya Double Taxation Agreement in force |
| Tax risk | Permanent Establishment under the treaty; an EOR mitigates, not eliminates |
| Employment law | Employment Act 2007 |
| Legal system | Common Law derived from English law (unitary) |
| Statutory payroll | PAYE, NSSF, SHIF (2.75%), Affordable Housing Levy |
| Remittance deadline | 9th of the following month |
| Working overlap | 5-6 hours with the UK working day |
Key terms
- IDTA
- The UK International Data Transfer Agreement, the post-Brexit instrument that legalises UK-origin personal data transfers to countries without a UK adequacy decision, such as Kenya.
- Permanent Establishment (PE)
- A taxable presence a foreign company can create in Kenya under the Double Taxation Agreement, potentially exposing profits to Kenyan corporation tax.
- SHIF
- The Social Health Insurance Fund, a 2.75% health contribution administered by the Social Health Authority (SHA); it replaced NHIF in October 2024.
Pillar 1: Cross-border data protection
Answer: Because Kenya has no UK adequacy decision, every UK-origin personal data transfer needs the IDTA plus a Transfer Risk Assessment, layered on top of Kenya’s own GDPR-aligned regime.
Kenya’s Data Protection Act 2019 closely mirrors the GDPR and is enforced by the Office of the Data Protection Commissioner (ODPC). That alignment helps, but it does not replace the UK exporter’s own duty. Under UK GDPR, a transfer to a country without adequacy must rely on an Article 46 safeguard. For UK-origin data that is the UK IDTA applied to Kenya, and a Transfer Risk Assessment must document why the data will be adequately protected. The EU Standard Contractual Clauses are not valid on their own for UK transfers; see SCCs vs the IDTA for Kenya.
Pillar 2: Permanent Establishment risk
Answer: Activity in Kenya can create a Permanent Establishment that exposes the UK company to Kenyan tax, so the engagement model matters as much as the contract.
The UK-Kenya Double Taxation Agreement defines when a UK company is treated as having a taxable presence in Kenya. A fixed place of business or a dependent agent concluding contracts can both trigger it. An Employer of Record (EOR) is the most common mitigation because the EOR, not the UK firm, is the legal employer in Kenya, but it reduces rather than removes the exposure. The detail is in our Permanent Establishment risk guide.
Pillar 3: Kenyan employment law
Answer: The Employment Act 2007 sets the floor for contracts, working time, leave, termination and redundancy, within a Common Law system familiar to UK lawyers.
Kenya’s legal heritage is Common Law derived from English law, so doctrines such as precedent and contractual interpretation are recognisable to UK counsel. The statutory baseline lives in the Employment Act 2007, which governs written particulars, notice, leave entitlements and the procedure for fair termination and redundancy. Whether you engage staff through an EOR or your own entity, these minimums apply.
Pillar 4: Statutory payroll
Answer: Kenyan payroll runs four monthly items, all due by the 9th of the following month, and employer on-costs are modest by UK standards.
| Item | Rate | Notes |
|---|---|---|
| PAYE | 10% to 35% progressive | Personal relief KES 2,400/month |
| NSSF | 6% employee + 6% employer | Max KES 4,320 each (from Feb 2025) |
| SHIF | 2.75% of gross | Min KES 300, no cap; replaced NHIF Oct 2024 |
| Housing Levy | 1.5% employee + 1.5% employer | 3%/month penalty if late |
For a KES 150,000/month employee, employer on-costs (NSSF KES 4,320 plus Housing Levy KES 2,250) total about KES 6,570, roughly 4.4% on top of gross, against UK employer National Insurance at 15%. Full mechanics, deadlines and a worked example are in the PAYE compliance guide and the NSSF employer obligations guide.
How the pillars fit together
These four areas are usually handled in parallel rather than in sequence. A typical UK engagement signs a data processing agreement with the IDTA attached, structures the relationship through an EOR to manage PE risk, relies on the EOR to meet Employment Act 2007 minimums, and lets the EOR operate the statutory payroll. Getting all four right is what turns a cost saving into a defensible operating model.
Key Takeaways
- UK-Kenya compliance rests on four pillars: data transfers, PE tax risk, employment law and statutory payroll.
- Kenya has no UK adequacy decision, so the IDTA plus a Transfer Risk Assessment is mandatory for UK-origin personal data.
- An Employer of Record mitigates Permanent Establishment risk but does not eliminate it.
- Kenyan employer payroll on-costs are around 4.4% on a mid-level salary, well below UK employer National Insurance at 15%.
Looking for a Kenya outsourcing partner?
A well-run Kenyan provider can align data transfers, tax structure, employment law and payroll from day one so your UK compliance obligations are covered end to end.
Find a Kenya Outsourcing Partner →
Frequently Asked Questions
What does UK-Kenya outsourcing compliance cover?
Four pillars: cross-border data protection (UK GDPR plus the IDTA and a Transfer Risk Assessment), Permanent Establishment tax risk under the UK-Kenya treaty, Kenyan employment law under the Employment Act 2007, and statutory payroll (PAYE, NSSF, SHIF and the Affordable Housing Levy).
Does sending personal data to Kenya require the IDTA?
Yes. Kenya has no UK adequacy decision, so any UK-origin personal data transfer needs the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs, supported by a Transfer Risk Assessment.
What is Permanent Establishment risk in Kenya?
Permanent Establishment (PE) is the risk that activity in Kenya creates a taxable presence for the UK company under the UK-Kenya Double Taxation Agreement. An Employer of Record mitigates PE risk but does not eliminate it.
Which Kenyan law governs the employment relationship?
The Employment Act 2007 governs contracts, working time, leave, termination and redundancy. Kenya’s legal system is Common Law derived from English law, which makes its concepts familiar to UK businesses.
Sources & References
- UK Information Commissioner’s Office, “International transfers and the IDTA,” accessed 2026-06-13. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
- Office of the Data Protection Commissioner (Kenya), “Data Protection Act, 2019,” accessed 2026-06-13. https://www.odpc.go.ke/
- PwC, “Kenya — Individual — Other taxes” (Worldwide Tax Summaries), accessed 2026-06-13. https://taxsummaries.pwc.com/kenya/individual/other-taxes
- Kenya Revenue Authority, “Pay As You Earn (PAYE),” accessed 2026-06-13. https://www.kra.go.ke/individual/filing-paying/types-of-taxes/paye
- NSSF Kenya, “New Member Contribution Rates,” accessed 2026-06-13. https://www.nssf.or.ke/new-contribution-rates
Published by Outsourcing.ke.
Further Reading
- IDTA Requirements for Kenya — when and how to use the IDTA
- Permanent Establishment Risk in Kenya — managing taxable-presence exposure
- PAYE in Kenya: Employer Compliance Guide — statutory payroll in detail
- Employer of Record Kenya — EOR services for UK companies expanding to Kenya