The Kenyan Office of the Data Protection Commissioner (ODPC) has implemented stricter regulations on consumer data protection, specifically targeting fintechs and startups in the region.
This regulation builds on Kenya’s 2019 Data Protection Act, mandating that startups register with the ODPC when processing personal data. Entities can register as either Data Processors or Data Controllers, with a fee applicable for each registration if both roles are assumed. Data Controllers are defined as those who select and profit from the use of personal data, while Processors handle data on behalf of third parties.
All financial services entities are required to register, regardless of their annual turnover or employee count. This legislation will particularly impact large tech companies and fintech startups, as they will need to disclose the personal data they process, the purposes for its collection, and the individuals from whom they collect it.
The law stipulates that all data processing entities must register with the ODPC, paying fees based on the number of employees, revenue, and whether the organization is public or private.
Similar to the EU’s GDPR, the new regulations require firms to obtain consumer consent for data usage and to inform them of the reasons for data collection and storage.
This update highlights the importance of holding companies accountable for their data collection practices and ensuring consumer protection. To comply, entities must report any data breaches to the ODPC within 72 hours, or they risk facing penalties, including imprisonment and fines.
Kenya’s Data Commissioner, Immaculate Kassait, stated: “Registration is just one, but very important, element of compliance with the data protection legislation as entities, including individuals, cannot act as Data Controllers or Data Processors in Kenya unless they have registered with the ODPC.”