680 certified data handlers registered in two months


Data Protection Commissioner Immaculate Kassait at a past event on March 29, 2023. PHOTO | WACHIRA MWANGI | NMG

The Office of the Data Protection Commissioner (ODPC) has issued an additional 680 compliance certificates to data handlers in the last two months, bringing the total number of approved entities to 2,303.

The registration commenced on July 14 last year following the enactment of regulations by Parliament requiring all entities handling the personal information of individuals in Kenya to register as data processors and controllers.

Read: Data agency certifies 1600 entities in drive

In January this year, Data Protection Commissioner Immaculate Kassait launched the Data Protection Registration System that gave applicants the latitude to take personal charge of the registration, a move that has speeded up the compliance rates compared to the numbers recorded last year.

Prior to the launch of the system, only 1,417 entities had been certified in a six-and-a-half-month registration drive.

The system allows eligible entities to go to the ODPC website, apply for registration, have their documents verified and have a digital certificate issued, with registration costs ranging between Sh4,000 and Sh40,000.

The legislation that ushered in the registration drive includes the data protection (General) Regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

The rules came into force against the backdrop of increased complaints about the lack of data protection laws and abuse of personal information, especially by digital lenders, political parties and human resource departments.

Among the entities targeted include telecommunications firms, digital ride-hailing service providers, building managers and businesses operating CCTV, dispensaries, and primary and secondary schools.

The Data Commissioner had marked 13 sectors for mandatory registration including processors of genetic data like medical research companies and medical labs, bars, restaurants and healthcare providers.

Others on the list were law firms, property managers, real estate agencies, and financial service providers such as digital lenders, Saccos and mobile money agents.

Read: Only 1600 entities have complied with new data laws

Organisations that have an annual turnover of less than Sh5 million or less than 10 employees have been exempted from registration.

Companies that breach the rules face fines of not more than Sh5 million or up to one per cent of their annual turnover.

[email protected]