KE

Kenya Data Protection Act 2019: AI Compliance Requirements

Kenya's Data Protection Act No. 24 of 2019 entered into force November 8, 2019, with the Data Protection (General) Regulations and other subsidiary legislation issued in 2021. The Office of the Data Protection Commissioner (ODPC) enforces the Act. The Act applies to all organizations processing personal data of Kenyan residents (or where processing takes place in Kenya) — including foreign organizations. AI-relevant provisions: Section 33 provides data subjects the right to object to automated decision-making that produces legal effects or significantly affects them, and the right to request human review. Data controllers using AI for profiling or automated decisions must conduct Privacy Impact Assessments. Biometric data (increasingly used in AI systems) is classified as sensitive and requires explicit consent.

Check your compliance — freeDownload checklist

Key Facts

Effective Date

November 8, 2019

Maximum Penalty

KES 5,000,000 (~$38,000 USD) or up to 10 years imprisonment for willful violations; regulatory orders from ODPC

What Your Business Must Do

3 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

Automated Decision Rights (Section 33)

Critical

Kenya DPA Section 33: data subjects have the right to object to automated processing — including AI profiling — that produces decisions with legal or significant effects. Provide: (1) Disclosure in privacy notice when AI drives significant decisions. (2) A process to submit objections and request human review. (3) Response and human review within a reasonable timeframe. Document your automated decision systems and objection handling procedures.

Privacy Impact Assessment for AI

High Priority

Kenya DPA requires Privacy Impact Assessments for high-risk processing including automated decision-making, large-scale profiling, and processing of sensitive data categories. Before deploying AI systems that process Kenyan residents' personal data, conduct and document a PIA. Submit to the ODPC if required (ODPC may request PIAs for high-risk deployments).

Data Controller/Processor Registration with ODPC

Medium Priority

Organizations processing personal data of Kenyan residents must register as data controllers and/or data processors with the ODPC (odpc.go.ke). This includes foreign organizations. Registration must be renewed. Failure to register is a separate offense from data protection violations.

Frequently Asked Questions

Does Kenya Data Protection Act 2019 apply to my business?

Kenya's Data Protection Act No. 24 of 2019 entered into force November 8, 2019, with the Data Protection (General) Regulations and other subsidiary legislation issued in 2021. The Office of the Data Protection Commissioner (ODPC) enforces the Act. Th. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.

What is the penalty for non-compliance?

The maximum penalty under Kenya Data Protection Act 2019 is: KES 5,000,000 (~$38,000 USD) or up to 10 years imprisonment for willful violations; regulatory orders from ODPC. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with Kenya Data Protection Act 2019?

The 3 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://www.odpc.go.ke/data-protection-act/

Last updated: 2026-04-12 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan