The publication in the Kenya Gazette of the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 (via Legal Notice no. 265) implemented section 18 of the Data Protection Act 2019 which provides for mandatory registration of data controllers and processors by the Data Protection Commissioner, DPC.
Mandatory registration will now commence on 14th July 2022.
In summary:
All persons and entities that process personal data (as controllers or as processors) are now required to register with the DPC except those with annual turnover or revenue below KES million and less than ten employees.
Data processors and controllers with annual turnover below KES five million and fewer than ten employees must nevertheless register if they process personal data in the course of activities or services listed in the 3rd Schedule of the Regulations. These services include schools, health administration, hospitality services and financial services.
Employees of data controllers are not themselves considered data processors if they process personal data in the course of their employment duties.
Failure to register with the DPC is an offence, carrying an imprisonment term of up to 10 years and or a fine of up to KES three million upon conviction.