Skip to main content
Use Cases

Compliance: DPA Records, DSARs and Consent Logs

Kenya's Data Protection Act puts a clock on every Data Subject Access Request. Papyrus makes the clock irrelevant — DSARs become a query, not a project.

Papyrus Team 2 min read Updated April 2, 2026

Compliance: DPA Records, DSARs and Consent Logs

The Kenya Data Protection Act, 2019 gives data subjects rights that have deadlines attached:

  • Right of access — fulfilled within 30 days
  • Right to rectification — fulfilled within 30 days
  • Right to erasure — fulfilled within 7 days where applicable
  • Right to data portability — fulfilled within 30 days

Without a unified document system, these deadlines are genuinely scary. With Papyrus, they're routine.

The DSAR workflow

When a data subject (employee, customer, supplier) requests their data:

  1. Receive — Request comes in via the public DSAR form, email, or letter; logged as a DataSubjectRequest record
  2. Verify — DPO confirms the requestor's identity
  3. Search — Run a tenant-scoped search for documents containing identifying metadata (name, ID, email, phone, KRA PIN)
  4. Review — DPO reviews hits for relevance and privilege
  5. Compile — Approved documents bundled into a downloadable archive
  6. Deliver — Secure external share link, time-bounded, password-protected
  7. Log — Full DSAR completion audit entry

Median DSAR fulfilment time on Papyrus: 4 hours, not 30 days.

Every consent collected (HR onboarding, customer registration, marketing opt-ins) is stored as a ConsentRecord:

  • Subject identity
  • Purpose of consent
  • Lawful basis under DPA
  • Timestamp and IP of collection
  • Mechanism (online form, paper signed, verbal recorded)
  • Withdrawal trail if applicable

When consent is withdrawn, downstream documents are flagged for retention review.

Processing records (Article 9)

The DPA requires data controllers to maintain a Records of Processing Activities (RoPA). Papyrus's audit log, combined with the document classification system, is your RoPA — searchable, immutable, exportable.

What the DPC inspector wants to see

When the Office of the Data Protection Commissioner inspects:

  • Your DPIA records (Data Protection Impact Assessments) for high-risk processing
  • Your RoPA (processing activities)
  • Your DSAR fulfilment metrics for the past 12 months
  • Your breach notification log (if any)
  • Your sub-processor agreements (DPAs with vendors)
  • Your training records (showing staff have completed DPA training)

All of which live in Papyrus.

#compliance#dpa#dsar#kenya

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.