The Data Protection Act 2019 is Kenya’s comprehensive data protection law, closely aligned with the GDPR and enforced by the Office of the Data Protection Commissioner (ODPC). It governs how personal data is collected, used, secured and transferred in Kenya, and it is central to the question UK and US buyers ask most often: is my data safe when outsourcing to Kenya? This page explains the Act’s main duties, registration, breach rules and cross-border transfers, then sets the Kenya position alongside the UK and US obligations buyers carry on their own side. See our compliance overview for the wider framework.
Key Facts
| Item | Position under the Act |
|---|---|
| Law | Data Protection Act 2019 (GDPR-aligned) |
| Regulator | Office of the Data Protection Commissioner (ODPC) |
| Registration trigger | Turnover > KES 5m, or >10 employees, or sensitive data / 10,000+ data subjects |
| Breach notification | Within 72 hours |
| Maximum fine | Up to KES 5m or 1% of annual turnover |
| Cross-border basis (s48/49) | Adequacy, appropriate safeguards, necessity, or consent |
| Appropriate safeguards | SCCs or BCRs |
| UK adequacy for Kenya | None (UK side needs IDTA plus TRA) |
| UK restricted transfer | Includes remote access by a Kenya team to UK data |
| US position | No federal comprehensive law; export side governed by Kenya DPA |
Key terms
- ODPC
- The Office of the Data Protection Commissioner, Kenya's independent regulator that enforces the Data Protection Act 2019.
- Cross-border transfer
- Moving personal data out of Kenya, permitted under sections 48 and 49 on grounds of adequacy, appropriate safeguards, necessity or consent.
- Sensitive data
- Categories such as health, biometric and similar data that attract stronger protection and can trigger ODPC registration.
What the Act requires
Answer: The Act requires lawful, fair and transparent processing, respects data-subject rights, and is enforced by the ODPC with meaningful penalties.
Modelled closely on the GDPR, the Data Protection Act 2019 sets out principles for lawful processing, purpose limitation, data minimisation and security, and gives individuals rights over their data. It is enforced by the ODPC, an independent regulator, and breaches can attract fines of up to KES 5 million or 1% of annual turnover. For a UK or US buyer, this alignment matters: it means a Kenyan provider operates under a recognisable legal regime rather than a vacuum, which is the foundation of any “is my data safe?” answer. The Act is one of four compliance pillars alongside tax, employment law and payroll in our compliance overview.
ODPC registration thresholds
Answer: Registration with the ODPC is mandatory above set thresholds for turnover, headcount, and the nature or volume of data processed.
A data controller or processor must register with the ODPC where any threshold is met: annual turnover above KES 5 million, more than 10 employees, or processing of sensitive data or the data of 10,000 or more data subjects. Many providers handling UK or US client data will cross at least one threshold, so registration is a reasonable thing to verify in an RFP. Below the thresholds registration may not be required, but the Act’s other duties on lawful processing, security and breach handling still apply. Registration is therefore a useful signal of maturity, not the whole of compliance.
Breach notification and security
Answer: Controllers must notify the ODPC of a qualifying personal data breach within 72 hours, supported by appropriate security measures.
The 72-hour notification window mirrors the GDPR standard and obliges providers to detect, assess and report breaches promptly. Behind it sits a duty to maintain appropriate technical and organisational security. When assessing a provider, ask how they detect and escalate incidents and how they would meet the 72-hour deadline in practice. Be precise about security claims: where a provider references ISO 27001 or HIPAA, treat these as aligned controls to verify rather than certification, unless they hold a current certificate. Strong breach handling is one of the clearest indicators that data is being looked after.
Cross-border transfers, three sides
Answer: The Kenya DPA governs transfers out of Kenya under sections 48 and 49, while the UK and US each impose their own rules on the export side.
This is where buyers must hold three pictures at once:
| Side | Rule |
|---|---|
| Kenya (export from Kenya) | Sections 48/49: adequacy, appropriate safeguards (SCCs/BCRs), necessity, or consent |
| UK (export to Kenya) | No UK adequacy, so the IDTA plus a Transfer Risk Assessment |
| US (export to Kenya) | No federal comprehensive law; transfer governed by contract, with state laws applying |
For UK buyers, the key point is that Kenya’s GDPR-aligned law does not remove the UK duty: a restricted transfer to Kenya, including remote access by a Kenya team to UK personal data, needs the IDTA backed by a Transfer Risk Assessment. For US buyers, there is no federal comprehensive law; the transfer is governed by contract, while applicable state privacy laws shape your obligations and the Kenya DPA governs the export side. Our UK GDPR guide covers the UK mechanism in full.
Key Takeaways
- The Data Protection Act 2019 is GDPR-aligned and enforced by the ODPC, with fines up to KES 5m or 1% of turnover.
- ODPC registration is mandatory above thresholds for turnover, headcount, or sensitive or high-volume data.
- Breaches must be notified within 72 hours; treat ISO 27001 / HIPAA references as aligned controls to verify.
- Data safety rests on three sides: the Kenya DPA, the UK IDTA plus TRA, and US contractual and state-law terms.
Looking for a Kenya outsourcing partner?
A data-mature Kenyan provider will be ODPC-registered where required, meet the 72-hour breach rule and support your UK or US transfer safeguards.
Find a Kenya Outsourcing Partner →
Frequently Asked Questions
What is Kenya’s Data Protection Act 2019?
It is Kenya’s comprehensive data protection law, closely aligned with the GDPR and enforced by the Office of the Data Protection Commissioner. It sets rules for lawful processing, data-subject rights, registration, breach notification and cross-border transfers, with fines up to KES 5 million or 1 percent of annual turnover.
Is my data safe when outsourcing to Kenya?
Kenya’s Data Protection Act 2019 is GDPR-aligned and enforced by the ODPC, giving a strong legal baseline on the export side. UK buyers add the IDTA and a Transfer Risk Assessment, and US buyers add contractual terms reflecting applicable state laws. With the right safeguards layered on, the transfer can be defensible.
When must a business register with the ODPC?
Registration is mandatory above set thresholds: annual turnover above KES 5 million, more than 10 employees, or processing of sensitive data or the data of 10,000 or more data subjects. Below these thresholds registration may not be required, but other duties under the Act still apply.
How are cross-border transfers handled under the Kenya DPA?
Sections 48 and 49 allow transfers out of Kenya on the basis of adequacy, appropriate safeguards such as SCCs or BCRs, necessity, or consent. Inbound transfers from the UK are governed separately by UK law, which requires the IDTA plus a Transfer Risk Assessment because Kenya has no UK adequacy decision.
Sources & References
- Office of the Data Protection Commissioner (Kenya), “Data Protection Act, 2019,” accessed 2026-06-13. https://www.odpc.go.ke/
- UK Information Commissioner’s Office, “International transfers,” accessed 2026-06-13. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
- IAPP, “US State Privacy Legislation Tracker,” accessed 2026-06-13. https://iapp.org/
- Kenya National Bureau of Statistics, accessed 2026-06-13. https://www.knbs.or.ke/
Published by Outsourcing.ke.
Further Reading
- Compliance Overview — the four-pillar framework
- IDTA for Kenya — the UK transfer safeguard
- US State Privacy Laws and Kenya — the US side of compliant transfers
- Employer of Record Kenya — EOR services for firms entering Kenya