Comparing Kenya DPA to GDPR: A Practical View
How Kenya's 2019 Data Protection Act compares with Europe's GDPR — where they align, where they diverge, and what that means for operations.
Comparing Kenya DPA to GDPR: A Practical View
The Kenya Data Protection Act, 2019 is the GDPR's younger cousin — substantively similar, structurally similar, but tuned for the Kenyan operating environment. If you've implemented GDPR controls, you're 80% of the way to DPA compliance. Here's the other 20%.
Where they align
- Definitions — “personal data”, “data subject”, “data controller”, “data processor” map cleanly
- Lawful bases — consent, contract, legal obligation, vital interest, public interest, legitimate interest — both regimes recognise the same six
- Data subject rights — access, rectification, erasure, restriction, portability, objection — both regimes grant
- Special categories — health, biometrics, financial, sexual orientation, ethnic origin — both regimes apply stricter protections
- Records of processing activities (RoPA) — both require maintenance
- Data Protection Impact Assessment (DPIA) — both require for high-risk processing
- Breach notification — both require notification to the regulator (and data subjects, where applicable)
Where they diverge
1. Regulator and registration
Kenya: Office of the Data Protection Commissioner (ODPC). Mandatory registration as a data controller/processor.
GDPR: Various national supervisory authorities. No general registration requirement.
The Kenyan registration is a practical bottleneck — without registration, you cannot lawfully process. Build it into your launch checklist.
2. Cross-border transfers
Kenya: requires proof of “appropriate safeguards” (similar to GDPR), plus an Adequacy Decision from the Cabinet Secretary for transfers to specific countries.
GDPR: established list of “adequate” countries.
If you transfer data from Kenya to the UK, you're fine. To the US, you need contractual safeguards (SCCs) plus a justified transfer impact assessment.
3. Breach notification timeline
Kenya: 72 hours to the ODPC — same as GDPR. But Kenyan notification includes more specific data points (number of affected subjects, types of data, remedial measures).
4. Penalties
GDPR: up to 4% of global annual turnover or €20M (whichever is higher).
Kenya: up to KES 5,000,000 or 1% of annual turnover (whichever is lower). Materially lower nominal penalties; however, “annual turnover” interpretation can be aggressive.
5. DPO requirement
Both require a Data Protection Officer for certain categories of organisation. The Kenyan threshold is broader (more organisations need one) but the qualifications are more loosely defined.
What's distinctly Kenyan
Children's data
The DPA sets the age of consent at 18 (GDPR is 16, with member-state variation down to 13). For Kenyan organisations that process minors' data — schools, paediatric clinics, NGOs working with youth — this matters.
Local representation
Foreign data controllers processing Kenyan data must appoint a local representative. GDPR has analogous Article 27 requirements but with slightly different triggers.
Data localisation
The DPA does not, yet, impose general data localisation. But sectoral regulators (CBK, IRA, EPRA, MoH) have started writing localisation requirements into their sector regulations. Plan for a future where critical data must reside in Kenya.
Practical compliance posture
If you operate in both regimes:
- Build to GDPR — it's stricter; DPA compliance follows
- Register in Kenya (no GDPR equivalent)
- Maintain a DPIA register for high-risk processing under both regimes simultaneously
- Tune your privacy notice for both audiences (the notice for Kenyan subjects has specific required content)
- Plan for sectoral localisation if you operate in CBK / IRA / EPRA / health-regulated sectors
How Papyrus helps
Papyrus's DPA compliance pack: pre-configured consent record schemas, DSAR workflow templates, DPIA templates, RoPA generation from the audit log, breach notification workflow. See the Kenya DPA Compliance Playbook for the full walkthrough.