UK GDPR compliance when outsourcing to Kenya is the discipline of making sure UK-origin personal data stays lawfully protected once it is handled by a Kenyan provider. Because Kenya has no UK adequacy decision, you cannot simply send the data; you need a recognised transfer safeguard, a documented risk assessment and a proper processing contract. Done correctly, none of this blocks a UK firm from outsourcing to Kenya; it just structures it. This guide walks through lawful transfers, the IDTA, the Transfer Risk Assessment and data processing agreements.
Key Facts
| Item | Position |
|---|---|
| UK adequacy decision for Kenya | None |
| Legal basis for transfer | UK GDPR Article 46 (appropriate safeguards) |
| Primary safeguard | UK IDTA |
| Alternative safeguard | EU SCCs plus the UK Addendum |
| Mandatory companion | Transfer Risk Assessment (TRA) |
| Processing contract | Data processing agreement (DPA) |
| UK regulator | Information Commissioner’s Office (ICO) |
| Kenya regulator | Office of the Data Protection Commissioner (ODPC) |
| Kenya law | Data Protection Act 2019 (GDPR-aligned) |
| EU SCCs alone for UK data | Not valid |
Key terms
- Restricted transfer
- A transfer of UK-origin personal data to a country, such as Kenya, not covered by UK adequacy regulations.
- Transfer Risk Assessment (TRA)
- The exporter's documented evaluation of whether the chosen safeguard will be effective in practice in the destination country.
- Data processing agreement (DPA)
- The contract required under UK GDPR where a processor handles personal data on a controller's behalf.
Lawful transfers to Kenya
Answer: A transfer of UK-origin personal data to Kenya is lawful only with an Article 46 safeguard, because Kenya is not covered by a UK adequacy decision.
The starting point under UK GDPR is that personal data should not leave the UK for a non-adequate country without appropriate safeguards. Kenya has no adequacy decision, so the transfer is “restricted” and needs a recognised tool. The default tool for UK-origin data is the UK IDTA applied to Kenya. The EU Standard Contractual Clauses are not valid on their own for UK data, as set out in our SCCs for Kenya guide; a UK firm uses the IDTA or the EU SCCs with the UK Addendum.
The IDTA
Answer: The IDTA is the contractual safeguard that gives UK personal data appropriate protection once it reaches the Kenyan provider.
The IDTA binds exporter and importer on roles, data types, security measures, data-subject rights and enforcement. It is normally annexed to the data processing agreement rather than signed in isolation, so the commercial and data-protection terms travel together. The instrument and the alternative UK Addendum route are explained in the IDTA explained.
The Transfer Risk Assessment
Answer: The TRA documents whether the IDTA’s protections will actually be effective in Kenya, taking account of local law and the data involved.
The contract alone is not enough; the ICO expects a documented assessment before reliance. A practical TRA considers:
| Factor | Question it answers |
|---|---|
| Local law | Does Kenyan law support or undermine the safeguard? |
| Data sensitivity | How serious would harm be if protection failed? |
| Provider controls | Are the importer’s security measures adequate? |
| Onward transfers | Could the data be passed further, and under what terms? |
Kenya’s Data Protection Act 2019 is GDPR-aligned and enforced by the ODPC, which strengthens the assessment. That alignment is a genuine help, but it does not remove the UK exporter’s duty to run the TRA and put the safeguard in place.
The data processing agreement
Answer: Where the Kenyan provider processes personal data on your behalf, UK GDPR requires a data processing agreement, with the IDTA typically annexed.
The DPA sets out the processor’s obligations: acting only on your instructions, keeping the data secure, assisting with data-subject rights, and dealing with breaches and sub-processors. For UK firms, the clean way to operate is one DPA with the IDTA attached and the TRA on file. Where staff are engaged through an Employer of Record, the same transfer discipline applies to any UK-origin personal data the team handles, and data protection sits alongside the other pillars of the UK-Kenya compliance framework.
Putting it together
The compliant pattern is consistent: confirm the transfer is restricted, choose the IDTA, run the TRA, sign the DPA with the IDTA annexed, and review when circumstances change. With those four steps in place, a UK firm can use Kenyan talent while keeping its UK GDPR position defensible.
Key Takeaways
- Kenya has no UK adequacy decision, so UK-origin transfers need an Article 46 safeguard, normally the IDTA.
- A Transfer Risk Assessment must confirm the safeguard will be effective in Kenya before you rely on it.
- A data processing agreement is required where the provider processes personal data on your behalf; the IDTA is usually annexed.
- Kenya’s GDPR-aligned Data Protection Act 2019 supports the TRA but does not replace the UK exporter’s duty.
Looking for a Kenya outsourcing partner?
A data-mature Kenyan provider will sign the IDTA and a data processing agreement, and support your Transfer Risk Assessment, so your UK GDPR position stays sound.
Find a Kenya Outsourcing Partner →
Frequently Asked Questions
Is it lawful to outsource personal data processing to Kenya under UK GDPR?
Yes, provided the transfer is protected. Kenya has no UK adequacy decision, so a UK-origin transfer needs an Article 46 safeguard, normally the IDTA, plus a Transfer Risk Assessment and a data processing agreement with the Kenyan provider.
What is a Transfer Risk Assessment?
A Transfer Risk Assessment (TRA) is the exporter’s documented evaluation of whether the transfer safeguard, such as the IDTA, will be effective in Kenya in practice, taking account of local law and the nature of the data.
Do I need a data processing agreement with the Kenyan provider?
Yes. Where the provider processes personal data on your behalf, UK GDPR requires a data processing agreement setting out the processor’s obligations. The IDTA is typically annexed to it.
Does Kenya’s own data protection law help?
It supports the assessment. Kenya’s Data Protection Act 2019 is GDPR-aligned and enforced by the ODPC, which strengthens a Transfer Risk Assessment, but it does not replace the UK exporter’s duty to put a transfer safeguard in place.
Sources & References
- UK Information Commissioner’s Office, “International transfers and the IDTA,” accessed 2026-06-13. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
- Office of the Data Protection Commissioner (Kenya), “Data Protection Act, 2019,” accessed 2026-06-13. https://www.odpc.go.ke/
Published by Outsourcing.ke.
Further Reading
- IDTA Requirements for Kenya — the transfer safeguard in detail
- SCCs vs the IDTA for Kenya — which tool to use
- UK-Kenya Compliance Overview — the full framework
- Employer of Record Kenya — EOR services for UK companies expanding to Kenya