Welcome To MomBoss Market Space

DATA PROTECTION & PRIVACY by Thrity Engineer-Mbuthia

DATA PROTECTION & PRIVACY by Thrity Engineer-Mbuthia

Did you know that Kenya has Data Protection and Privacy Laws? The Kenya Data Protection Act was enacted in November 2019, after many years of stakeholders working together to get it signed into law.

The Act has a lot of similarities to the General Data Protection Regulations which are the Data Privacy and Protection Laws of the European Union. GDPR is regarded as the toughest security and privacy law in the world. One interesting aspect of this law is that it imposes obligations on organizations in any part of the world as long as they are collecting and processing data of people living in the European Union.

This simply means that just because your business is in Kenya, you cannot say you are not impacted. Your business has obligations to comply with the GDPR regulations. However, the Kenya Data Protection Act has the same requirements/obligations for businesses outside of Kenya, so your data also has to be protected in line with the Kenya laws, if it is collected and processes by a business outside Kenya.

The Office of the Data Protection Commissioner was in place by 2021 after the swearing in of the first Data Commissioner – Ms Immaculate Kassait, and its mandate is to regulate the processing of personal data, protect the privacy of individuals and their data and establish the legal mechanisms to protect data among other things.

What is personal data?

This is any data that is relating to an identifiable natural person e.g. name, address, age, telephone number, gender, date of birth, race, religious beliefs, genetic data, biometric data, health data etc.

One of the most challenging things about the Data Protection Act is the understanding of how to apply these principles to everyday situations, especially for small businesses.

Every data subject has certain rights that include the right to access your data that is being held by an organization, the right to object to processing and the right to request for data to be transferred and/or erased.

There are also some principles that guide data protection. These are the principles businesses need to adhere to when they are collecting, processing and storing personal data.


This means when a business is collecting data, they should be able to state what it is being collected for e.g. if you choose to organize a webinar, and you want to collect the name and email address of those interested in attending. Then you go ahead and use this information you have collected to send them a newsletter or other offers. You have not been transparent on the reason you collected the data in the first place. Or you choose to start a WhatsApp group and state it is for one purpose but end up using it for additional purposes that were outside the scope of the initial set up – a common error if you are running more than one business and you decide to bombard your clients with everything you do.

Purpose limitation 

Only collect data for the purpose you need the information. E.g. if you have customers making payments to you via mobile money, then the only reason you need their details is for the transactions. This means you cannot then proceed to bombard them with text messages about other products.

Integrity and confidentiality 

This focuses on ensuring that the data is secured and is only accessed by specific individuals who have been authorized to access the data. There are cases where employees get access to databases and decide to copy all the information and contacts to use for their own personal benefit. It is the responsibility of a business to identify who will have access to the data, who will process it and how this data should be secured to avoid any breach.

Data minimization 

This means collecting the least amount of data needed. It serves two roles, the first being that minimal data is easy to maintain and update where needed and secondly, if there is a breach then only limited information is exposed. A good example would be if you collect a client’s details, you may want to collect name, email address and telephone contact. Do you need to collect their physical address, their spouse’s details and children’s dates of birth? Probably not.


It is the responsibility of a business to ensure that the data that is collected is as accurate as possible. Therefore any requests to correct the data must be done with speed and all reasonable attempts to keep the data as up-to-date as possible.

Storage limitation 

It is important to have a policy on how long you intend to store the data e.g. if you sell cakes and you have collected information from your client on their preferences, the address details for delivery of the cake and other personal data, for how long will you store this information? Would it be 6 months or 6 years? What is a reasonable timeframe for you to store the information? Each business can make an assessment of this and decide what works. Exceptions to this would be any legal requirements for you to retain information e.g. for security purposes, but cakes probably don’t fall into this category.

A couple of additional things that you need to know are that you must provide an opt out option for the data subject so that they can opt out of any communication sent to them at any time. The opt out option must be indicated on all materials and must be simple to use.

You must also collect and record consent given by the data subject to collect and process their data. This is why many websites today ask you to consent to cookies and give you options on which consent can be given. If you have a website in place, you can borrow from this practice.

When consent is given, it should be unambiguous, which means it not only must be clear and concise, but the consent has to be granted and not assumed. A business can ask if you wish to receive communication from them via a newsletter and the data subject would tick a box giving consent. Be careful to ask consent for every item e.g. you can give them an option to tick newsletter, text message, email separately so that they can control what they wish to receive. Do not pre-tick the boxes for them.

Data privacy not only relates to information about your customers but any information for any stakeholder of your business e.g. your suppliers, your distributors and even your investors.

This is but a snippet into the world of Data Protection and Privacy. For more guidance, please consult your legal or finance professional consultant.

Article writtten by:

Mrs Thrity Engineer- Mbuthia

E: thrity@thrityengineer.org

T: +254 737 700699

Skype: thrity.engineer

leave your comment

Your email address will not be published. Required fields are marked *

Thank you for your upload

× Need Help?