2022 has been hailed as Kenya’s year for data protection compliance. Despite enactment of the Data Protection Act in November 2019, enforcement of Kenya’s data protection framework has largely remained hindered due to lack of a functioning regulatory supervisory authority, as well as insufficient regulations to support the mother legislation which is largely principle-based. 

However, the gazettement of the set of draft 2022 data protection regulations constitutes a significant stride in the right direction as Kenya inches towards the development of a comprehensive regulatory framework. The second rendition of the draft regulations has clearly demarcated registration requirements for organisations that determine the purpose and means of processing personal data, including the organisations that process personal data on behalf of others. 

Below is a concise breakdown of the draft 2022 Data Protection Registration of Data Controllers and Data Processors Regulation (registration regulations). 

Registration categories 

Under the registration regulations, organisations can apply for registration as:

• Data controller- an entity that determines the purpose and means for processing personal data; or as a
• Data processor – an entity that has a contractual relationship with a data controller to process data as per the directions of the data controller. 

The registration regulations permit organisations to apply for registration as both a data controller and as a data processor. However, the organisation must pay registration fees for both classifications. 

Requirements for registration application

Organisations applying for registration under the regulations are required to submit the following documentation to the Data Commissioner for verification of authenticity:

• A copy of the organisation’s establishment documents;
• Particulars of the data controller or data processor including name and contact details;
• A description of the purpose for which personal data is processed; and
• A description of the categories of personal data being processed.

The Data Commissioner may decline an application on the following grounds:

• The particulars provided for inclusion in an entry in the register are insufficient;
• Appropriate safeguards for privacy protection of the data subject have not been provided by the data controller or data processor; or
• The data controller or data processor is in violation of any provisions of the Act and these Regulations.

Certificate of registration 

Following a successful application, the organisation will be issued with a certificate of registration and shall be duly included in the register of data controllers and data processors maintained by the Data Commissioner. 

The registration certificate is valid for 24 months (two years) from the date of issuance. Once the two years elapse, the organisation is expected to apply for a certificate renewal with the Data Commissioner.

However, an organisation must begin a fresh application for a registration certificate in the instance that it seeks to process additional categories of personal data, or the entity processes data for a distinct purpose from when it made its initial registration. 

Certificate registration and renewal costs 

The registration regulations have provided the following fee structure to be paid to the Data Commissioner when making applications and renewals of registration certificates:

Mandatory Registration

The registration regulations explicitly identify the industries and categories of entities that are expected to register with the Data Commissioner’s Office. The categories of entities listed below, by the very nature of their business operations and model, engage in large scale collection, processing and analysis of personal data, including the industries that process sensitive personal data on a regular basis:

1. Canvassing political support among the electorate.
2. Crime prevention and prosecution of offenders (including operating security CCTV systems).
3. Gambling.
4. Operating an educational institution.
5. Health administration and provision of patient care.
6. Hospitality industry firms, but excludes tour guides.
7. Property management including the selling of land.
8. Provision of financial services.
9. Telecommunication network or service providers.
10. Businesses that are wholly or mainly in direct marketing.
11. Transport services firms (including online passenger hailing applications)
12. Businesses that process genetic data.

Offences for non-registration 

The regulations have spelled out the following registration specific offences punishable by a maximum penalty of Kshs. 3 million and/or an imprisonment term not exceeding 10 years for each offence:

• Processing personal data without registering in accordance with the Regulations;
• Providing false or misleading information for the purpose of registration; or
• Failing to renew a certificate of registration after expiry, but still continue to process personal data. 

Kenyan data controllers and processors have six months from January 14, 2022, to prepare and anticipate enforcement of the registration regulations. Organisations operating within the industries marked for mandatory registration should begin to consolidate the prerequisite documents and forms necessary for registration application. 

The draft 2022 (Registration of Data Controllers and Data Processors) Regulations, alongside the draft (General) Regulations and the draft (Complaints Handling Procedure and Enforcement) Regulations are due to be tabled before the National Assembly’s Delegated Legislation committee for further deliberation.