Data Protection Regulations: What To Expect

  • 9 Apr 2021
  • 2 Mins Read
  • 〜 by Wanjiku Mwai

In January 2021, the Cabinet Secretary for Information, Communications, Technology, Innovation and Youth Affairs Hon. Joe Mucheru constituted the Taskforce on the Development of Data Protection General Regulations. The mandate of this taskforce is to develop data protection regulations, conduct a comprehensive audit of the DPA, identify gaps in the law and propose amendments. The Taskforce is also expected to sensitize stakeholders and the public on the Data Protection (General) Regulations and to undertake stakeholder and public consultation on the Data Protection General Regulations.

The Taskforce comprises Chairperson Immaculate Kassait and members: Dr.Humphrey Njogu, Eng.Daniel Obam, Christopher Maina, Duncan Nyale, Marion Muriithi, Miriam Kakenya, Thuranira Gatuyu, Damaris Mukala, Rose Mosero, Victor Nzomo, Augustus Munywoki. The Joint Secretaries for this Taskforce are Rahab Juma and Brenda Gabantu.

What the Act says

The Data Protection Act, 2019 states that the Cabinet Secretary may make Regulations to provide suitable measures to safeguard a data subject’s rights, freedoms and legitimate interests in connection with the taking of decisions based solely on automated processing. Other areas where the Act expects the Cabinet Secretary to make regulations are:

  • the requirements which are imposed on a data controller or data processor when processing personal data
  • mechanisms of conducting certification program
  • the contents which a notice or registration by a data controller or data processor should contain information to be provided to a data subject and how such information shall be provided 
  • the levying of fees and taking of charges
  • the measures to safeguard a data subject’s rights, freedoms and legitimate interests 
  • the processing of data through a data server or data centre in Kenya
  • issuing and approval of codes of practice and guidelines
  • any other matter that the Cabinet Secretary may deem fit.

So far the Data Protection Commissioner has issued two Guidance Notes: 

(1) Guidance Note on Consent, and 

(2) Guidance Note on Data Protection Impact Assessment. 

The Guidance Note on Consent provides guidance on the processing of personal data on the basis of consent whereas the Guidance Note on Data Protection Impact Assessment provides guidance to data controllers and data processors on when and how to conduct Data Protection Impact Assessments.

To celebrate 100 days, the ODPC launched its official website- which it aims to be a resource tool for provision of data protection information such as guidelines compliance requirements and rights of data subjects. Through the website, members of the public will be able to report breaches, file complaints or report privacy concerns with the Data Protection Commissioner. 

On that day it was also announced that the Data Protection Commissioner had prepared the following draft Guidelines that are awaiting comments and input from the public: 

  • Guidelines on Registration of Data Controllers and Processors; 
  • Certification of Data Controllers and Processors; 
  • Appointment of Data Protection Officers; and 
  • Data Sharing Code and Enforcement. 

The Guidelines are yet to be made public.

On 7th April 2021, the Taskforce on development of Data Protection General Regulations led by the Office of the Data Protection Commissioner briefed the Ministry of ICT led by Cabinet Secretary Joe Mucheru and Principal Secretary Jerome Ochieng. The Taskforce will hold public consultations on the Regulations later this month.