Kenya DPA Compliance Playbook for Document Management

The Data Protection Act, 2019 obligates every Kenyan organisation that processes personal data to maintain specific controls. This playbook is the document-management slice of those obligations — what to set up, how to maintain, what auditors look for.

It assumes you're using Papyrus, but the principles apply more broadly.

Step 1 — Register with the ODPC

If you process personal data in a non-trivial way, you must register as a Data Controller and/or Data Processor with the Office of the Data Protection Commissioner. This is a non-negotiable starting point — without it, your processing is unlawful.

Visit odpc.go.ke, complete the registration form
Cost is currently a few thousand shillings
Processing time: typically 2-4 weeks
Renewal: annual

Step 2 — Maintain a Records of Processing Activities (RoPA)

Article 9 of the DPA requires a RoPA — a documented inventory of what personal data you process, why, on what lawful basis, who you share it with, and how long you keep it.

In Papyrus, your RoPA can be generated from your document classifications and retention policies. Each Classification Type corresponds to a RoPA entry. Export quarterly; review annually.

For lawful bases that rely on consent (marketing, some HR data, some research data), every consent action must be logged with:

Subject identity (name, ID, email)
Purpose ("consent to process for [purpose]")
Lawful basis cited
Timestamp and IP of collection
Mechanism (form, signature, recorded verbal)
Withdrawal trail if applicable

Papyrus's ConsentRecord entity captures all of this. Wire consent capture into every onboarding workflow.

Step 4 — Build the DSAR fulfilment workflow

A Data Subject Access Request (DSAR) gives data subjects the right to see all data you hold about them. Fulfilment deadline: 30 days.

The Papyrus DSAR workflow:

Receive — request comes in via public form or letter
Verify — DPO confirms requestor identity
Search — tenant-wide search by subject's identifying metadata
Review — DPO marks documents in/out of scope (privilege, third-party data)
Compile — approved documents packaged
Deliver — secure external share link with password
Log — DSAR completion entry in audit log

Median fulfilment time on Papyrus: 4 hours.

Step 5 — Define right-to-erasure procedures

DSAR-erasure (“right to be forgotten”) requires you to delete data on request, unless legal exemptions apply (tax records, court orders, etc.). Papyrus's litigation-hold mechanism handles the exemption side; deletion runs through the normal disposition workflow.

Document your decision rationale for each erasure request — auditors look at this.

Step 6 — Conduct DPIAs for high-risk processing

A Data Protection Impact Assessment (DPIA) is mandatory before starting processing that involves:

Large-scale processing of special categories (health, biometrics, financial)
Systematic monitoring (CCTV, location tracking)
New technologies with privacy implications (AI scoring, facial recognition)

The DPIA is itself a document — stored in Papyrus, classified Internal, retained permanently.

Step 7 — Vendor / sub-processor management

Any third party processing personal data on your behalf is a sub-processor. You need a Data Processing Agreement (DPA) with each. The list itself is a RoPA component.

Papyrus's sub-processor list is published at papyrus.io/legal/sub-processors. We notify of changes 30 days in advance.

Step 8 — Breach response

If a breach occurs:

Detect: technical and organisational measures should surface breaches within hours
Contain: stop the bleed (revoke credentials, take systems offline)
Assess: who's affected, what data, what risk?
Notify: ODPC within 72 hours (DPA requirement); data subjects “without undue delay” if high risk
Document: every breach, even minor ones, gets a BreachRecord in Papyrus

Step 9 — Training and awareness

Annual DPA training for all staff. Track completion in Papyrus (each completion is a document on the employee's record). The ODPC asks for training records during inspections.

Step 10 — Ongoing governance

Quarterly RoPA review
Annual DPIA refresh for high-risk processing
Quarterly DSAR metrics review (volume, fulfilment time)
Annual sub-processor list audit
Quarterly access-review of privileged roles in Papyrus

What the ODPC looks for

In an inspection, the ODPC's first questions:

Are you registered?
Where's your RoPA?
Show me your last 5 DSARs and how they were handled
Show me your DPIAs
Show me your breach register
Show me your sub-processor agreements

Be able to answer all six in 30 minutes. Papyrus makes that achievable.