The operationalisation of the Office of the Data Protection Commissioner (ODPC) in 2020, with Immaculate Kassait as its inaugural Commissioner, marked a new dawn in Kenya’s data protection landscape. This was just two years after the General Data Protection Regulation (GDPR) came into force in the European Union.

Just five years down the line, the ODPC registered 7,223 data controllers and processors, developed and published eight guidance notes, and issued 192 advisories on the processing of personal data. During the same period, it received 6,817 complaints from data subjects and successfully resolved 6,516, a 96 per cent resolution rate, a notable feat by local regulatory standards.

However, despite this strong performance, the office has faced several challenges, including political interference affecting its independence, conflicting foreign policy interests on data governance, budgetary constraints, low public trust in the independence of the office, a surge in data breaches and cybercrime and a weak regulatory framework that does not adequately cover technological advancements. 

In a shift in strategy, the Office of the Data Protection Commissioner (ODPC) appears to have acknowledged the challenges it faces in formulating its 2025–2029 Strategic Plan, which is anchored on five strategic objectives.

First, the ODPC aims to strengthen data governance by annually reviewing, developing, and implementing policy, legal, and regulatory frameworks related to data protection. Second, it seeks to promote operational and financial sustainability by consistently expanding its human resource capacity. Third, the Office plans to enhance compliance levels through public advocacy, training, partnerships with key stakeholders, and the promotion of research in data protection. The fourth objective focuses on strengthening oversight of data processing operations to bolster enforcement. Finally, the strategy emphasises the promotion of self-regulation among data controllers and processors to foster a culture of accountability and responsible data handling.

On regulatory reforms, the proposed amendments to the Data Protection Act have already been analysed by this platform here. With the draft amendments having been submitted to the National Assembly, a Data Protection (Amendment) Bill, 2025, is expected to be tabled soon.

In addition to overhauling its enabling legislation, the ODPC also intends to restructure its institutional framework. Under the new strategic plan, a revised structure has been introduced, including the creation of a Senior Deputy Data Commissioner position to support the Data Commissioner in implementing the strategy. This replaces the previous framework in which the ODPC was supported by four technical directorates, each headed by a Deputy Data Commissioner. The new structure also introduces Assistant Data Commissioners and Assistant Directors to lead various departments.

To support its third strategic objective of improving compliance, the ODPC plans to increase the number of its regional offices from the current seven to thirteen. Existing offices are located in Mombasa, Nakuru, Kisumu, Garissa, Eldoret, Nyeri, and Machakos, each serving clusters of counties.

This comprehensive institutional and regulatory overhaul is projected to cost KSh 12.64 billion over the five-year strategy period. Despite reduced budgetary allocations, the ODPC plans to mobilise resources through expanded partnerships, increased self-generated revenue and targeted sectoral collaborations. Notably, it is also reviewing its service fee structure and proposing adjustments where necessary to help address a KSh 3.675 billion funding gap.

The ODPC’s first five years have reflected a promising journey in establishing a data protection culture in Kenya. While it has demonstrated commendable efficiency in complaint resolution, structural, political, and financial challenges continue to limit its full potential. The 2025–2029 Strategic Plan offers a reset by prioritising governance reform and institutional strengthening.

As the privacy regulatory landscape in Kenya matures, the role of Data Protection Officers (DPOs) within organisations is becoming increasingly critical. As the ODPC implements its 2025–2029 Strategic Plan and regulatory reforms take shape, compliance pressure is set to increase. As enforcement becomes more robust and sector-specific through guidance notes, the presence of well-trained and empowered Data Protection Officers (DPOs) will be essential for businesses to navigate regulatory scrutiny and mitigate risks that ultimately build consumer trust.