Simply put, Kenya’s Data Protection Act is a data privacy law enacted in 2019 to protect your privacy by ensuring that companies or organizations do not abuse it.

What is Data Protection, and what does it entail?
It is the process of keeping important data safe from corruption, compromise, or loss. It is also ensuring that it can be restored in case of loss or corruption.

The need for laws to secure people’s data privacy is because organizations demand more and more data every passing day, and the risk of undermining your privacy is high.

Kenya’s Data Protection Act is one of the many data privacy laws that have emerged in recent years globally.

The Act was enacted to monitor institutions and individuals who control or process personal information for people in and outside Kenya.

The Data Protection Act Principles

Lawfulness, fairness, and transparency – Your data should be obtained fairly, with your knowledge and consent.

Purpose limitation – Your data should be collected for a specific purpose communicated to you in advance.

Data minimization – Personal data should be limited to only what is necessary.

Accuracy – Your data MUST be correct, complete, and up to date.

Storage limitation – It should not be kept longer than necessary. Once it has served its purpose, it should be deleted.

Integrity and confidentiality – The data controller must ensure that your data will not be altered or corrupted by any authorized/entitled persons.

Accountability – Institutions or individuals that process or control data should comply with the set data protection laws.

What are the rights of an individual under GDPR?
General Data Protection Regulations (GDPR), which is where the Kenya Data protection Act draws from, grants you these exclusive rights:

• The right to be informed on how they gather your data and how long they plan to retain it.
• The right to access your data whenever you want.
• The right to rectification where data is missing or was updated erroneously.
• The right to the erasure of the data permanently when you feel compromised.
• The right to restrict the processing of the data by the data controller under specific circumstances.
• The right to data portability which means you can collect and reuse your data as you will.
• The right to object to the processing of your data. E.g., when a company wants to use it for marketing purposes.
• The right not to be subject to automated decision-making. Companies must notify you that you will be subject to algorithmic decision-making where you have a right to decline.

Many people do not know this, but the company should share information disclosing race, health status, biometric data, sex, sexual orientation, origin, belief, marital status, and family details without your consent.

The company should notify you anytime they intend to share with a third party. The law is clear that you should know whom they share it with, how long, who else will have access, and what purpose. There should also be security measures to guarantee its safety.
You also reserve the right to withdraw your consent when you want or even request that they delete the information.

However, there are exceptions to this rule. If it is a matter of national security, public interest, or a law that requires disclosure, then the information can and should be shared with the relevant authorities.

Check out our follow-up article on the types of data to be protected, data storage and retention, and what happens in the event of a breach.