2024 saw the scatter-gun enforcement style of the Office of the Data Protection Commissioner (ODPC) in Kenya with 51 determinations and average fines in the region of 522,308 Kenyan Shillings (KSh) per case being meted out as punishment for data protection violations. The fines have been levied against businesses in many sectors-from financial institutions to education and healthcare-for data protection breaches.
This appears to be a strong stride toward safeguarding consumer data rights. But is such regulation proving effective, or may it become a symbolic exercise rather than a transformational change?
What Sparked the Kenya Data Protection Crackdown?
The crackdown is in accordance with the provisions in the Data Protection Act (2019) because of increasing public outcry about the manner in which personal data is being collected, retained, and utilized-most notably in the finance, digital lending, health, education, and hospitality industry. As such, it has been made clear by the ODPC that violations will not go unchecked.
Companies which have been found to breach these laws were fined an average of 522,308 KSh, and fines went higher than 1 million KSh in some cases. Top off-line offenders are digital lenders, financial service providers, schools, and health institutions-all of which handle data that is extremely sensitive.
Are the Fines Enough to Deter Violators?
The Kenya data protection crackdown may represent a step in the right direction, but the question arises as to how far those fines actually reach. For the big corporations, especially in finance and fintech, these penalties may prove far too small to ever act as deterrent.
Contrast this with the EU GDPR, which has as a sanction up to 4% of worldwide annual turnover of a company. A laudable step for Kenya; otherwise, it turns more into a compliance checkbox than being a change-maker in case penalties are not proportionate to the size and recurrence of the violations.
Selective Enforcement? The Public Sector Gap
The Kenya data protection crackdown seems to divert attention from public institutions to the private sector only. Of all the cases reported, 94.3 percent were against private entities, whereas 5.7 percent brought charges against public sector institutions. However, public agencies also house a huge amount of citizen data, from national identity systems to health records.
So why the imbalance?
The ODPC should be investigating all the institutions, both private and public, if it is ever to establish confidence in the Kenyan data ecosystem so that no institution is above the law.
Enforcement vs. Prevention: Are We Missing the Point?
Operationally, the current Kenya data protection crackdown has all issues of reactivity: penalty after violation, while one would expect prevention to come first.
Most of the small and mid-sized enterprises usually do not have adequate resources or knowledge with which they can design compliance frameworks. So, rather than merely punishing, ODPC may also:
- Provide sector-specific compliance toolkits
- Offer several training and certification programs
- Raise awareness of people’s rights pertaining to data
Long-term engagement is the key to success. Enforcement in the absence of education creates loopholes to be taken advantage of by serial offenders.
What Happens After the Fines?
One of the missing links in the Kenya data protection crackdown is monitoring compliance after fines. There is still confusion about whether businesses are supposed to:
- Prepare corrective plans;
- Have an audit done;
- Report on the implementation progress.
Without a structured methodology for post-penalty management, there is a danger that fines will become just another part of doing business rather than being the impetus for lasting change.
The Future of Kenya’s Data Protection Crackdown
Kenya’s data protection crackdowns are an assertive move toward digital accountability that requires even more. The illicit use of personal data in various industries needed some awareness. Nevertheless, its success in keeping with long-term goals will even depend on transitioning into a governing framework from being mostly reactive enforcement.
To put significant meaning into this, the ODPC should:
- Adjust penalties in accordance with firm size and recurring infringements on the same offense
- Enforce legislation across the board for the public and private sectors
- Create frameworks for educative and preventive mechanisms
- Work towards compliance checks once violations are found to have occurred
The message is clear: data privacy matters in Kenya. But enforcement has to be consistent and strong – as well as strategic – to truly be able to protect citizens in a fast-evolving digital economy.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
