Decide
The Kenya Data Protection Act: a practical checklist
Compliance, legal, technical leads · 9 min read
The Kenya Data Protection Act 2019 is not as intimidating as the legal text makes it look. At its core it asks you to know where personal data is, control who can touch it, and be able to show your working. Here is the practical version — written to help you scope the work, not to replace advice from your own counsel.
In plain terms
This is a practical summary for planning purposes, not legal advice. The Office of the Data Protection Commissioner (ODPC) is the regulator, and your obligations depend on your specific circumstances. Confirm the details with a qualified adviser before you rely on them.
What it actually asks of you
Stripped of the legal language, the Act asks you to do a handful of things consistently:
- Process personal data lawfully, fairly, and for a clear, stated purpose.
- Keep it secure, and keep only what you need for as long as you need it.
- Be able to say where it is held and who can access it.
- Honour data-subject rights — access, correction, deletion — when people ask.
- Report qualifying breaches to the regulator, and to affected people where required.
Where your infrastructure runs has a direct bearing on most of these — especially security, location, access control, and cross-border transfer.
A checklist mapped to controls
| What the Act expects | The control that satisfies it |
|---|---|
| Know where production data and backups sit | In-country storage on hardware you can name and locate |
| Restrict who can access personal data | Least-privilege access on dedicated systems you control |
| Show who accessed what, and when | Audit logging retained and available for review |
| Govern cross-border transfers | Keep data in-jurisdiction so the question rarely arises |
| Respond to breaches promptly | A defined, rehearsed breach-response process |
The cross-border transfer trap
Transferring personal data outside Kenya is allowed only under specific conditions — such as appropriate safeguards, the data subject’s consent, or proof of adequate protection at the destination. The simplest way to stay clear of this entirely is not to transfer the data offshore in the first place. In-jurisdiction infrastructure removes the hardest compliance question before it is ever asked.
Technical detail
On dedicated hardware you control access and logging directly, rather than inheriting a shared provider’s controls and hoping they map to your obligations. Metal on Cloud keeps production data, backups, and recovery inside Kenya, with access controls and audit logging available for review — which turns several checklist items into a configuration question instead of a contractual negotiation with an offshore provider.
Key takeaway
Most of the Act becomes straightforward once your data is in-country, on hardware you control, with access logged and a breach process in place. The architecture does the heavy lifting; the paperwork follows. Get the location right first, and the rest gets much shorter.
Ready to talk specifics?
Get a Quote