Introduction
The collection and processing of personal data in Kenya is regulated under the Data Protection Act. Organizations and individuals handling such data, i.e. a data controller and processor, must register with the Office of the Data Protection Commissioner (ODPC) and obtain a certificate of registration.
This article explains the registration process, legal requirements, and consequences of non-compliance.
Legal Framework for Registration
The Data Protection Act and the Data Protection (Registration of Data Controllers and Processors) Regulations set out the registration requirements. The Act creates the Office of the Data Protection Commissioner (ODPC) as the authority responsible for registering and overseeing compliance with data privacy laws and ensuring accountability in data handling.
Who Must Register as a Data Controller or Processor?
A Data Controller determines the purpose and means of processing personal data. Examples include banks, hospitals, government agencies, and e-commerce businesses.
A Data Processor processes personal data on behalf of a controller. Examples include cloud storage providers, payroll service providers, and outsourced customer service companies.
Both controllers and processors must register with the ODPC if they:
- Handle personal data of Kenyan citizens or residents.
- Operate within Kenya or offer goods and services to Kenyans.
- Process data that poses a high risk to individuals, such as financial, health, or biometric data.
Registering as a data controller or processor provides several advantages:
- Legal Compliance – Avoids fines and legal risks.
- Customer Trust – Demonstrates a commitment to data privacy.
- Business Credibility – Enhances reputation and facilitates partnerships.
- Regulatory Support – Access to guidance from the ODPC.
The Registration Process for Data Controllers and Processors
The process involves several key steps:
1. Determine Whether Registration is Mandatory
Not all controllers and processors need to register. The ODPC exempts certain small businesses and low-risk data handlers.
2. Prepare the Required Information
Applicants must provide:
- Business name and registration details.
- Nature of data processed.
- Purpose of processing.
- Security measures that are in place.
3. Submit an Application
Applications are made through the ODPC online portal. A registration fee applies, depending on the organization’s size and risk level.
4. Review and Approval
The ODPC reviews the application and issues a certificate of registration if all requirements are met. The certificate must be renewed periodically.
Registration Fees
The registration fees depend on the size and type of the organization. The ODPC classifies businesses into different tiers, with fees ranging from KES 4,000 to KES 40,000. Large corporations and high-risk processors pay higher fees.
Responsibilities After Registration
Once registered, data controllers and processors must:
- Comply with data protection laws and safeguard personal data.
- Report data breaches within 72 hours.
- Conduct Data Protection Impact Assessments for high-risk processing activities.
- Renew registration as required by the ODPC.
Penalties for Non-Registration with the ODPC
Failure to register as a data controller or processor can lead to:
- Fines of up to KES 5 million or 1% of annual turnover, whichever is higher.
- Business restrictions or suspension by the ODPC.
- Legal action for privacy violations.
Conclusion
Registration of data controllers and processors in Kenya is a legal requirement for organizations handling personal data. Compliance with the Data Protection Act, 2019 ensures data security, legal protection, and consumer trust. Businesses must assess their obligations, complete the registration process, and follow data privacy laws to avoid penalties.
If you are a data controller or data processor and need help making your application for registration, Schedule A Consultation with our team, Email Us or fill out the form on our Contact Us page for more personalized assistance.