The IDTA applied to Kenya is the contractual safeguard a UK organisation puts in place when it sends personal data to a partner in Kenya. Because Kenya has no UK adequacy decision, a transfer cannot rely on adequacy and must instead carry an Article 46 protection. For UK-origin data that is normally the UK International Data Transfer Agreement (IDTA), backed by a Transfer Risk Assessment (TRA). This guide explains exactly when the IDTA is required for a Kenya transfer, what it covers, and how to implement it as part of a wider UK GDPR compliance approach.
Key Facts
| Item | Position for Kenya transfers |
|---|---|
| UK adequacy decision for Kenya | None |
| Trigger | Any restricted transfer of UK-origin personal data to Kenya |
| Primary tool | UK IDTA |
| Alternative tool | EU SCCs plus the UK Addendum |
| Mandatory companion | Transfer Risk Assessment (TRA) |
| Regulator (UK) | Information Commissioner’s Office (ICO) |
| Regulator (Kenya) | Office of the Data Protection Commissioner (ODPC) |
| Kenya law | Data Protection Act 2019 (GDPR-aligned) |
| EU SCCs alone valid for UK data | No |
| Typical placement | Annexed to a data processing agreement |
Key terms
- IDTA
- UK International Data Transfer Agreement, the UK's standalone contract for legalising restricted transfers of UK-origin personal data to non-adequate countries.
- Transfer Risk Assessment (TRA)
- The exporter's documented evaluation of whether the IDTA's protections will be effective in the destination country in practice.
- Restricted transfer
- A transfer of personal data from the UK to a receiver in a country not covered by UK adequacy regulations.
When the IDTA is required for Kenya
Answer: The IDTA is required whenever UK-origin personal data is transferred to a receiver in Kenya, because Kenya is not covered by a UK adequacy decision.
A restricted transfer happens when a UK controller or processor makes personal data available to a separate organisation in a non-adequate country. Sending customer records to a Nairobi support team, payroll data to a Kenyan accountant, or case files to a legal-support provider all qualify. Kenya’s own Data Protection Act 2019 is GDPR-aligned and enforced by the ODPC, which is reassuring, but it does not satisfy the UK exporter’s duty. The UK rule is separate: without adequacy, you need an Article 46 safeguard, and the IDTA is the default choice. For how the IDTA compares with the older clauses framework, see our SCCs for Kenya guide.
What the IDTA covers
Answer: The IDTA imposes binding protections on both parties, covering roles, data types, security, data-subject rights and enforcement.
| Element | What it sets out |
|---|---|
| Parties and roles | Who exports, who imports, and whether each is controller or processor |
| Data and purposes | The categories of personal data and the permitted uses |
| Security measures | Technical and organisational controls required of the importer |
| Data-subject rights | How individuals can exercise rights and seek redress |
| Onward transfers | Conditions for the importer passing data further |
| Enforcement and termination | Liability, audits, and what happens on breach |
The IDTA is designed to give UK personal data “appropriate safeguards” once it leaves the UK, so that the level of protection travels with the data. It is usually annexed to the commercial data processing agreement rather than signed in isolation.
How to implement the IDTA with a TRA
Answer: Run a Transfer Risk Assessment first, then complete and sign the IDTA, then attach it to your data processing agreement and keep it under review.
A practical sequence:
- Map the transfer. Identify the data, the parties, and whether each is a controller or processor. This determines which IDTA tables you complete.
- Run the TRA. Document whether the IDTA’s protections will be effective in Kenya, considering local law and the sensitivity of the data. The ICO expects this before reliance.
- Complete the IDTA. Fill in the parties, data, security measures and any extra protections the TRA recommends.
- Sign and annex. Execute the IDTA and attach it to the data processing agreement with your Kenyan provider.
- Review. Re-check the TRA and IDTA if the data, processing or local-law position changes.
This sits within the wider UK-Kenya compliance framework, where data protection is one of four pillars alongside tax, employment law and payroll. Where staff are engaged through an Employer of Record, the same transfer safeguards still apply to any UK-origin personal data the team handles.
Common mistakes to avoid
- Relying on Kenya’s GDPR-aligned law as if it removed the UK transfer duty. It does not.
- Using the EU SCCs alone for UK-origin data. They are not valid for UK transfers without the UK Addendum.
- Skipping the TRA. The IDTA without a documented risk assessment leaves a gap the ICO can question.
- Treating the IDTA as set-and-forget. It should be reviewed when circumstances change.
For the wider context, see our guide to outsourcing to Kenya and the kenya outsourcing rates overview.
Key Takeaways
- Kenya has no UK adequacy decision, so UK-origin transfers to Kenya need the IDTA (or the EU SCCs with the UK Addendum).
- The IDTA binds both parties on roles, data, security, rights and enforcement, and is usually annexed to a data processing agreement.
- A Transfer Risk Assessment must be completed before relying on the IDTA.
- The EU SCCs are not valid on their own for UK-origin transfers.
Looking for a Kenya outsourcing partner?
A data-mature Kenyan provider will sign the IDTA, support your Transfer Risk Assessment and meet UK GDPR security expectations so your data transfers stay defensible.
Find a Kenya Outsourcing Partner →
Frequently Asked Questions
When does a UK firm need the IDTA for Kenya?
Whenever UK-origin personal data is transferred to Kenya. Kenya has no UK adequacy decision, so a restricted transfer needs an Article 46 safeguard. For UK-origin data the standard tool is the UK International Data Transfer Agreement (IDTA), supported by a Transfer Risk Assessment.
What does the IDTA cover?
The IDTA sets binding contractual protections between the UK data exporter and the importer in Kenya: the roles of the parties, the types of data, security measures, data-subject rights and enforcement. It gives UK data appropriate safeguards once it leaves the UK.
Is a Transfer Risk Assessment required with the IDTA?
Yes. The ICO expects exporters to carry out a Transfer Risk Assessment (TRA) before relying on the IDTA, documenting whether the protections will be effective in Kenya in practice, considering local law and the data involved.
Can the EU SCCs be used instead of the IDTA for Kenya?
Not on their own for UK-origin transfers. The EU SCCs are not valid for UK transfers. A UK firm uses either the IDTA or the EU SCCs with the UK Addendum, which adapts the EU clauses to UK GDPR.
Sources & References
- UK Information Commissioner’s Office, “International transfers and the IDTA,” accessed 2026-06-13. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
- Office of the Data Protection Commissioner (Kenya), “Data Protection Act, 2019,” accessed 2026-06-13. https://www.odpc.go.ke/
Published by Outsourcing.ke.
Further Reading
- The International Data Transfer Agreement Explained — the instrument itself and the UK Addendum
- UK GDPR When Outsourcing to Kenya — lawful transfers, TRAs and DPAs
- SCCs vs the IDTA for Kenya — which UK firms must use
- Employer of Record Kenya — EOR services for UK companies expanding to Kenya