← All guides

Decide

The Kenya Data Protection Act: a practical checklist

Compliance, legal, technical leads · 9 min read

The Kenya Data Protection Act 2019 is not as intimidating as the legal text makes it look. At its core it asks you to know where personal data is, control who can touch it, and be able to show your working. Here is the practical version — written to help you scope the work, not to replace advice from your own counsel.

In plain terms

This is a practical summary for planning purposes, not legal advice. The Office of the Data Protection Commissioner (ODPC) is the regulator, and your obligations depend on your specific circumstances. Confirm the details with a qualified adviser before you rely on them.

What it actually asks of you

Stripped of the legal language, the Act asks you to do a handful of things consistently:

  • Process personal data lawfully, fairly, and for a clear, stated purpose.
  • Keep it secure, and keep only what you need for as long as you need it.
  • Be able to say where it is held and who can access it.
  • Honour data-subject rights — access, correction, deletion — when people ask.
  • Report qualifying breaches to the regulator, and to affected people where required.

Where your infrastructure runs has a direct bearing on most of these — especially security, location, access control, and cross-border transfer.

A checklist mapped to controls

What the Act expectsThe control that satisfies it
Know where production data and backups sitIn-country storage on hardware you can name and locate
Restrict who can access personal dataLeast-privilege access on dedicated systems you control
Show who accessed what, and whenAudit logging retained and available for review
Govern cross-border transfersKeep data in-jurisdiction so the question rarely arises
Respond to breaches promptlyA defined, rehearsed breach-response process

The cross-border transfer trap

Transferring personal data outside Kenya is allowed only under specific conditions — such as appropriate safeguards, the data subject’s consent, or proof of adequate protection at the destination. The simplest way to stay clear of this entirely is not to transfer the data offshore in the first place. In-jurisdiction infrastructure removes the hardest compliance question before it is ever asked.

Technical detail

On dedicated hardware you control access and logging directly, rather than inheriting a shared provider’s controls and hoping they map to your obligations. Metal on Cloud keeps production data, backups, and recovery inside Kenya, with access controls and audit logging available for review — which turns several checklist items into a configuration question instead of a contractual negotiation with an offshore provider.

Key takeaway

Most of the Act becomes straightforward once your data is in-country, on hardware you control, with access logged and a breach process in place. The architecture does the heavy lifting; the paperwork follows. Get the location right first, and the rest gets much shorter.

Ready to talk specifics?

Get a Quote