Data agency certifies 1,600 entities in drive


Data Protection Commissioner, Immaculate Kassait. FILE PHOTO | JEFF ANGOTE | NMG

The Office of the Data Protection Commissioner (ODPC) has issued compliance certificates to 1,623 data processors and controllers since the registration started mid-July last year on the arrival of a new set of regulations in March.

The new number is a marginal rise from the last reported figure of 1,417 by the close of January this year, translating to 206 entities licensed in two months. ODPC had earlier reported the issuance of 332 certificates as of September 2 last year.

Read: Watchdog certifies 1400 entities as data handlers

In January, Data Protection Commissioner Immaculate Kassait launched the Data Protection Registration System that gave applicants the latitude to take personal charge of the registration, indicating the certificates would be renewable every two years.

“The new registration system will be able to display the entire process of registration and everything will be completed online,” Kassait stated.

The rules enacted by Parliament require entities handling the personal information of individuals in the country to register as data controllers or processors.

They include the data protection (General) regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

Firms found to be in breach of the rules are liable to fines of not more than Sh5 million or up to one percent of their annual turnover.

The legislative intervention came on the backdrop of increased complaints about the lack of data protection laws coupled with abuse of personal information especially by among others, digital lenders, political parties and HR people.

Read: Data protection trends, enforcement in Kenya

Among the entities targeted by the new legal regime are telecom companies, building managers, CCTV operators, digital ride-hailing service providers, dispensaries and schools.

Ms Kassait has put 13 sectors on the radar for compulsory registration including processors of genetic data like bars, restaurants, medical research companies and healthcare labs.

[email protected]