2022 has been hailed as Kenya’s year for data protection compliance. Despite enactment of the Data Protection Act in November 2019, enforcement of Kenya’s data protection framework has largely remained hindered due to lack of a functioning regulatory supervisory authority, as well as insufficient regulations to support the mother legislation which is largely principle-based.
However, the gazettement of the set of draft 2022 data protection regulations constitutes a significant stride in the right direction as Kenya inches towards the development of a comprehensive regulatory framework. The second rendition of the draft regulations has clearly demarcated registration requirements for organisations that determine the purpose and means of processing personal data, including the organisations that process personal data on behalf of others.
Below is a concise breakdown of the draft 2022 Data Protection Registration of Data Controllers and Data Processors Regulation (registration regulations).
Registration categories
Under the registration regulations, organisations can apply for registration as:
- Data controller- an entity that determines the purpose and means for processing personal data; or as a
- Data processor – an entity that has a contractual relationship with a data controller to process data as per the directions of the data controller.
The registration regulations permit organisations to apply for registration as both a data controller and as a data processor. However, the organisation must pay registration fees for both classifications.
Requirements for registration application
Organisations applying for registration under the regulations are required to submit the following documentation to the Data Commissioner for verification of authenticity:
- A copy of the organisation’s establishment documents;
- Particulars of the data controller or data processor including name and contact details;
- A description of the purpose for which personal data is processed; and
- A description of the categories of personal data being processed.
The Data Commissioner may decline an application on the following grounds:
- The particulars provided for inclusion in an entry in the register are insufficient;
- Appropriate safeguards for privacy protection of the data subject have not been provided by the data controller or data processor; or
- The data controller or data processor is in violation of any provisions of the Act and these Regulations.
Certificate of registration
Following a successful application, the organisation will be issued with a certificate of registration and shall be duly included in the register of data controllers and data processors maintained by the Data Commissioner.
The registration certificate is valid for 24 months (two years) from the date of issuance. Once the two years elapse, the organisation is expected to apply for a certificate renewal with the Data Commissioner.
However, an organisation must begin a fresh application for a registration certificate in the instance that it seeks to process additional categories of personal data, or the entity processes data for a distinct purpose from when it made its initial registration.
Certificate registration and renewal costs
The registration regulations have provided the following fee structure to be paid to the Data Commissioner when making applications and renewals of registration certificates:
| Category | Description | Registration fee inKshs. per DataController/Processor)(payable Once) | Renewal fee in Kshs.per DataController/Processor)(after every 2 years) |
| Micro and Small Data Controllers/Processors | A data controller/ processor with between 1 and 50 employees and an annual turnover /revenue of a maximum of Kshs 5 million | 4,000/= | 2,000/= |
| Medium Data Controllers /Processors | A data controller/ processor with between 51 and 99 employees and an annual turnover /revenue of between Kshs 5,000,001 and maximum of Kshs 50,000,000 | 16,000/= | 9,000/= |
| Large DataControllers/Processors | A data controller /processor with more than 99 employees and an annual turnover /revenue of more than Kshs 50 million | 40,000/= | 25,000/= |
| Public Entities | A data controller /processor offering government functions (Regardless of number of employees or revenue /turnover) | 4,000/= | 2,000/= |
| Charities and Religious Entities | A data controller/ processor offering charity or religious functions (Regardless or revenue /turnover) | 4,000/= | 2,000/= |
Mandatory Registration
The registration regulations explicitly identify the industries and categories of entities that are expected to register with the Data Commissioner’s Office. The categories of entities listed below, by the very nature of their business operations and model, engage in large scale collection, processing and analysis of personal data, including the industries that process sensitive personal data on a regular basis:
- Canvassing political support among the electorate.
- Crime prevention and prosecution of offenders (including operating security CCTV systems).
- Gambling.
- Operating an educational institution.
- Health administration and provision of patient care.
- Hospitality industry firms, but excludes tour guides.
- Property management including the selling of land.
- Provision of financial services.
- Telecommunication network or service providers.
- Businesses that are wholly or mainly in direct marketing.
- Transport services firms (including online passenger hailing applications)
- Businesses that process genetic data.
Offences for non-registration
The regulations have spelled out the following registration specific offences punishable by a maximum penalty of Kshs. 3 million and/or an imprisonment term not exceeding 10 years for each offence:
- Processing personal data without registering in accordance with the Regulations;
- Providing false or misleading information for the purpose of registration; or
- Failing to renew a certificate of registration after expiry, but still continue to process personal data.
Kenyan data controllers and processors have six months from January 14, 2022, to prepare and anticipate enforcement of the registration regulations. Organisations operating within the industries marked for mandatory registration should begin to consolidate the prerequisite documents and forms necessary for registration application.
The draft 2022 (Registration of Data Controllers and Data Processors) Regulations, alongside the draft (General) Regulations and the draft (Complaints Handling Procedure and Enforcement) Regulations are due to be tabled before the National Assembly’s Delegated Legislation committee for further deliberation.
