Kenya’s growing digital economy has created new opportunities for financial inclusion, but it has also raised urgent questions around personal data security. The Data Protection Act, 2019 (DPA), which came into effect on November 25, 2019, is the country’s main legal framework for data protection. It enforces Article 31 of the Constitution on the right to privacy and regulates how personal information is collected, stored, and used. The law applies to both local and international entities handling the personal data of Kenyan residents. Its implementation is overseen by the Office of the Data Protection Commissioner (ODPC), an independent authority responsible for enforcement and oversight.
The law was introduced to address rising digital interactions, especially as mobile and online platforms became central to commerce and banking. It sets out requirements to ensure that data processing is lawful, fair, and transparent, protecting Kenyans from the misuse of their personal information in a rapidly digitizing economy.
The eight DPA principles under Section 25 that set the standard for how data must be handled in Kenya include:
- Processing must respect the right to privacy.
- It must be lawful, fair, and transparent.
- Data must be collected for specific, legitimate purposes.
- Collection should be adequate, relevant, and minimal.
- Information must be accurate and kept up to date.
- It must be stored securely.
- Data should not be retained longer than necessary.
- It must be protected against unauthorized access, loss, or damage.
The law defines personal data as any information that can identify an individual, including sensitive details such as biometric data, health information, and financial records. Processing this information requires either explicit consent from the data subject or a lawful basis such as contract necessity or compliance with legal obligations.
The DPA also grants individuals comprehensive rights. These include the right to be informed about how their data is used, access their data records, object to processing, rectify inaccurate information, request deletion of their data, restrict processing, transfer their data between service providers, and avoid automated decision-making that affects them, such as credit scoring. Data controllers are legally required to inform individuals of these rights before collecting their data and to respond to related requests within 7 to 30 days.
Data controllers (those determining processing purposes) and processors (those acting on instructions) bear the primary responsibility for compliance. Organizations handling high-risk activities, such as large-scale processing of sensitive data, must register with the ODPC. Registration requires providing details on the nature of processing activities, potential risks, and safeguards. Entities must also appoint Data Protection Officers to oversee compliance, conduct data protection impact assessments for high-risk operations, and report data breaches to the ODPC within 72 hours.
The DPA regulates international data transfers as well. Personal data can only be transferred outside Kenya if there is proof of adequate protection in the destination country, or if the data subject has given explicit consent. Although there are no blanket localization requirements, specific sectors may be subject to server location rules.
Non-compliance carries strict penalties. The ODPC can conduct investigations and impose administrative fines of up to KSh 5 million or 1% of an organization’s annual turnover. Violations may also result in criminal prosecution, imprisonment, or compensation to affected individuals for harm suffered, including financial loss or emotional distress.
These data protection requirements have had a direct impact on digital banking in Kenya, an industry built on the use of personal information. The sector is driven by mobile banking platforms such as M-PESA, used by more than 80% of adults and responsible for processing nearly two-thirds of the country’s GDP. Fintech lending apps serve around 27% of adults, relying heavily on personal data including transaction histories, geolocation, and social media behavior to assess creditworthiness and detect fraud.
Under Data Protection Act, 2019, compliance with data protection obligations has become a requirement for licensing and operations under the Central Bank of Kenya (CBK). This means digital lenders, payment providers, and neobanks must meet data protection standards as part of their regulatory approval.
The DPA has also improved trust and inclusion in digital banking. By enforcing data minimization, it prevents lenders from collecting excessive information unrelated to their services, for example, restricting access to unnecessary phone contacts or messages for loan applications. It also prohibits the use of personal data for marketing without consent.
The ODPC has issued sector-specific guidance, such as the Guidance Note for Digital Credit Providers (DCPs), outlining how financial institutions should process data. This includes using lawful bases like legitimate interest for fraud prevention, issuing clear and separate privacy notices, and securing data when sharing it with Credit Reference Bureaus.
Data portability under the DPA further benefits consumers by enabling borrowers to transfer their credit histories between lenders, making it easier to access better credit terms. Enhanced security measures, such as encryption, regular security audits, and incident reporting, have strengthened the sector’s resilience to cyber threats. This became especially relevant after 2023, when several mobile banking apps experienced DDoS attacks, prompting wider adoption of cybersecurity solutions.
The DPA has positioned data protection as a key part of Kenya’s digital financial ecosystem. It balances innovation with accountability, ensuring that individuals maintain control over their personal data while banks and fintechs operate within clear legal boundaries.
Jefferson Wachira is a writer at Africa Digest News, specializing in banking and finance trends, and their impact on African economies.