The Data Protection Commissioner has published the draft Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. These Regulations will give effect to the provision of the Data Protection Act that provides for the registration of data controllers and data processors.

 The registration of data processors and controllers is a practice that has been in place in other jurisdictions such as the United Kingdom. The ICO in its website states that they use the “data protection fee” to fund its work and it is no surprise that the Kenyan Data Protection office has also adopted a similar regime.

The draft regulations propose that data controllers apply for registration as both a data controller and a data processor with regards to any processing operations subject to paying the requisite fees. But not everyone who processes personal data as a controller or processor has to register as the Regulations propose some criteria. Data controllers or processors whose annual turnover or annual revenue is below five million shillings and employ less than ten people are exempt from the mandatory registration under the regulations.

 An eligible applicant will be required to apply using the prescribed form accompanied by:

• the Registration fees,
• establishment documents,
• particulars of the data controllers or processors,
• a description of the purpose for which personal data is processed,
• a description of categories of personal data processed and
• any other relevant information that the DC may require.

Upon receipt of an application, the Data Commissioner will carry out a verification process. If satisfied that all the requirements have been met, the DC will within 14 days issue the applicant with a renewable certificate of registration valid for one year.

The Data Commissioner may reject an application due to insufficient particulars, lack of provision of appropriate safeguards for the protection of the privacy of the data subject provided

by the data controller or a data processor, or where the applicant data processor or controller is in violation of the provisions of the Act. A data controller or data processor whose application for registration or renewal has been declined may however make a fresh application upon complying with the requirements specified in the refusal notice.

Upon successful registration, a data controller or data processor will be issued with a certificate by the Data Commissioner which must be displayed in all their premises and website.

By dint of approving which data processing an entity can engage in, the Regulations make it an offence to engage in data processing outside the agreed scope. This provision will force data processors and data controllers to adhere to the necessity principle as they won’t have leeway to engage in unnecessary data processing activities.

As stated earlier, the Regulations provide the Data Commissioner with revenue collection powers and the Schedule contain tables with different fees. Registration fees start at Ksh.1,000 for the lowest tier of applicants with the highest at Ksh. 20,000.  

The Data Commissioner and the Taskforce are still accepting comments on the Regulation and they have planned public participation forums next week on Tuesday, Wednesday and Thursday.