How to ensure your business is compliant as the data protection regulator tightens the noose on offenders

Data protection concept.

I read a notice by the Office Of the Data Protection Commissioner issuing penalties to several companies on breach of data privacy rights and non-compliance with the Data Protection Act. I have an entertainment company that diversifies into a number of things. We do events, photography, videography and makeup artistry. Most of our clients ask for samples of prior work and in a business such as ours it is inevitable to use past work when pitching for work. My business runs a social media page where we post pictures of past events. What tips do you have for businesses such as ours?


Dear George, if you have been posting pictures of people attending your events without their permission it is time to stop. Kenya’s legislative framework changed almost 13 years ago when the right to privacy was enshrined in the 2010 Constitution.

Pursuant to the 2010 Constitution, a new law the Data Protection Act was passed in 2019. Kenya has a very strong legal framework when it comes to data protection and protection of privacy.

An expert in the field told me Kenya has the strongest legislation in Africa when it comes to protection of data and privacy. The 2019 Act almost mirrors the data protection regulations passed by the European Union in 2018.

There have been a number of cases following the laws that have been passed. The communication you saw from the Office Of Data Protection Commission ( ODPC) was enforcement. The ODPC is the regulator and enforcer of data protection in Kenya. The public can file complaints to the regulator in the incidences of data breaches.

The regulator will then investigate the complaints and make decisions. In the communication by ODPC earlier in the week, the companies were found to have breached the regulations and fined.

A complainant can still pursue court action against the offending company by filing civil claims for damages on the same. There is a wealth of case law on this.

George, in a nutshell, the law requires you to respect and uphold your customers’ privacy and take steps to ensure their data and privacy is protected.

Your customers also have image rights and this means they have the right to have their image protected from unauthorised use.

A business such as yours handles a lot of data on behalf of customers and other third parties. This data includes images, phone numbers and even emails. The law requires you to protect the privacy of your clients.

Your clients have what is known as “data subject rights. “These are the statutory rights in so far as their data is concerned and falls into 8 main categories. The rights include the right to be informed of the reason why you are taking their data, right to access, right to object, right of erasure, right to rectify, right to complain, right to damages and right to data portability.

To remain compliant, you will then need to put into place systems and procedures that uphold these rights. One is to ensure that your customers give their consent before taking their images.

Let them know that you may use their images and data in your social media pages and to pitch for work. The consent ought to be in writing.

You may need to do a data protection audit. An expert will help you assess your data protection practises and make recommendations on changes.

You will need to get a data compliance certificate from the regulator. This can be done with the help of an expert who will help you prepare for that.

Ms Mputhia is the founder of C Mputhia Advocates | [email protected]

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.