Kenya: Does the Data Protection Officer (DPO) requirement apply to your organization?


​​​​​​​​​​​​​published on 24 May 2024 | reading time approx. 2 minutes

A DPO is the person within an organization with the mandate to oversee the implementation and enforcement of the data protection measures within the organization. 


The role of a DPO as provided under the Data Protection Act, 2019 includes:
  • ​advising the organization and its employees on data processing requirements provided under the Act or any other written law
  • ensuring that the organization complies with the Act
  • facilitating capacity building of staff involved in data processing operations
  • providing advice on data protection impact assessment and 
  • co-operating with the Office of the Data Protection Commissioner and any other authority on matters relating to data protection. 
For a person to be designated or appointed as a DPO, that person must have the relevant academic or professional qualifications, including knowledge and technical skills in matters relating to data protection.

The Act, further, provides the following instances where an organization may designate or appoint a DPO:
  • ​​where the processing of personal data is carried out by a public body or private body, except for courts acting in their judicial capacity
  • where the core activities of an organization consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects; or 
  • ​where the core activities of an organization consist of processing of sensitive categories of personal data. 

Although the Act does not make it mandatory to designate or appoint a DPO, the Office of the Data Protection Commissioner’s online registration platform requires every organization to provide the details of its DPO at the point of registering as a data controller or a data processor. 

This in practice obligates a data controller or data processor to designate or appoint a DPO and provide this detail during the registration process. 

There are several options that an organization may consider when deciding to designate or appoint a DPO: 
  • Recruitment of a new staff member
An organization has the option of recruiting a person with the relevant academic or professional qualification to take up the DPO role. This person will be in-charge of ensuring that the organization remains compliant with the Act.
  • Designation of an existing staff member
An organization can also designate an existing staff member as a DPO as long as this staff member has the relevant academic or professional qualifications. This staff member may fulfil other tasks and duties provided that such tasks and duties do not result in a conflict of interest with the DPO role. 
  • Designation of a Group DPO
Where an organization is part of a group of entities, the group of entities may appoint a single DPO provided that such officer is accessible by each entity. In such a case and where the DPO is not based in Kenya, it is advisable for the Kenyan entity to appoint a local point person to be the main liaison person with the group DPO for efficient communication and interaction. 

In the case of a public body, a single DPO may be designated for several such public bodies, taking into account their organisational structures. ​
  • Outsourcing DPO services
There is also the option of outsourcing the DPO services. An organization may opt to outsource the DPO services to a service provider that offers DPO services. This option is beneficial to the organization, in that, it enables an organization to focus on its core business while outsourcing non-core, but mandatory duties.  

The role of a DPO in supporting an organisation to comply with the Act is important considering that compliance is mandatory.

It is therefore prudent for all organizations to determine their most preferred option and designate a DPO. This will ensure that they remain compliant with the Act.​
Deutschland Weltweit Search Menu